1 an automatic attribute based access control policy
TRANSCRIPT
1
An Automatic Attribute Based Access ControlPolicy Extraction from Access Logs
Leila Karimi , Student Member, IEEE, Maryam Aldairi , Student Member, IEEE,
James Joshi , Senior Member, IEEE, and Mai Abdelhakim , Member, IEEE
AbstractβWith the rapid advances in computing and information technologies, traditional access control models have becomeinadequate in terms of capturing fine-grained, and expressive security requirements of newly emerging applications. An attribute-basedaccess control (ABAC) model provides a more flexible approach to addressing the authorization needs of complex and dynamicsystems. While organizations are interested in employing newer authorization models, migrating to such models pose as a significantchallenge. Many large-scale businesses need to grant authorizations to their user populations that are potentially distributed acrossdisparate and heterogeneous computing environments. Each of these computing environments may have its own access controlmodel. The manual development of a single policy framework for an entire organization is tedious, costly, and error-prone.In this paper, we present a methodology for automatically learning ABAC policy rules from access logs of a system to simplify thepolicy development process. The proposed approach employs an unsupervised learning-based algorithm for detecting patterns inaccess logs and extracting ABAC authorization rules from these patterns. In addition, we present two policy improvement algorithms,including rule pruning and policy refinement algorithms to generate a higher quality mined policy. Finally, we implement a prototype ofthe proposed approach to demonstrate its feasibility.
Index TermsβAccess Control, Attribute Based Access Control, Policy Mining, Policy Engineering, Machine Learning, Clustering.
F
1 INTRODUCTION
A CCESS control systems are critical components of in-formation systems that help protect information re-
sources from unauthorized accesses. Various access con-trol models and approaches have been proposed in theliterature including Discretionary Access Control (DAC) [1][2], Mandatory Access Control (MAC) [3] [4], and Role-Based Access Control (RBAC) [5]. However, with the rapidadvances in newer computing and information technologies(e.g., social networks, Internet of Things (IoT), cloud/edgecomputing, etc.), existing access control (AC) approacheshave become inadequate in providing flexible and expres-sive authorization services [6]. For example, a health careenvironment requires a more expressive AC model thatmeets the needs of patients, health care providers as wellas other stakeholders in the health care ecosystem [7],[8]. Attribute Based Access Control (ABAC) models presenta promising approach that addresses newer challenges inemerging applications [9]. An ABAC approach grants accessrights to users based on attributes of entities in the system(i.e., user attributes, object attributes, and environmentalconditions) and a set of authorization rules.
L. Karimi, M. Aldairi, and J. Joshi are with the School of Computing andInformation, University of Pittsburgh.M. Abdelhakim is with Electrical and Computer Engineering, Swanson Schoolof Engineering, University of Pittsburgh.Email addresses: {leila.karimi, ma.aldairi, jjoshi, and maia}@pitt.eduΒ© 2021 IEEE. Personal use of this material is permitted. Permission fromIEEE must be obtained for all other uses, including reprinting/republishingthis material for advertising or promotional purposes, collecting new collectedworks for resale or redistribution to servers or lists, or reuse of any copyrightedcomponent of this work in other works.
Although organizations and developers are interested inemploying the next generation AC models, adopting suchpolicy frameworks poses a significant challenge. Many largeorganizations need to grant authorization to their vast userpopulations distributed across disparate computing envi-ronments, including legacy systems. Each of these comput-ing environments may have its own AC model. The manualdevelopment of a single policy for the entire organizationis tedious and error-prone. Policy Mining techniques havebeen proposed in the literature to address such challengesto help organizations cut the cost, time, and error of policydevelopment/management. Policy mining algorithms easethe migration to more recent/appropriate authorizationmodels by completely (or partially) automating the processof constructing AC policies.
Policy mining techniques were first introduced for devel-oping RBAC policies. Kuhlmann et al. coined the term βrolemining" to refer to a data mining approach that constructsroles from a given permission assignment dataset [10]; thiswork was followed by various role mining techniques, suchas [11], [12], [13]. Although the proposed approaches arebeneficial in developing optimal sets of roles, they are notapplicable in extracting ABAC policies.
Xu and Stoller were the first to study the problem ofmining ABAC policies from given access control matricesor logs [14], [15]. Following that, several researchers haveinvestigated various ABAC policy mining techniques [16],[17], [18]. However, these studies suffer from several limita-tions, as follows:
β’ First, the existing approaches do not support miningauthorization rules with negative filters. An ABAC
arX
iv:2
003.
0727
0v4
[cs
.CR
] 3
0 Ja
n 20
21
2
policy rule can be comprised of a set of positive andnegative filters. Negative filters are useful in scenar-ios when an exception needs to be expressed. Forexample, a healthcare provider can express the fol-lowing rule using a negative attribute filter: βA nursecan read a patientβs record except for payment purposes."Using negative filters in rule expressions results in amore concise authorization policy (Section 5).
β’ Second, some proposed approaches such as in [14],[15], [17] are unable to mine a high-quality policywhen the given access log is not complete in the sensethat every possible combination of attribute values isnot included in the access log (Section 3).
β’ Third, the proposed approaches are unable to minea policy from noisy access logs containing over-assignments and under-assignments [16], [18]. Hav-ing noisy access records is a common problem inevolving domains such as IoT or social networks [19].It is essential that an ABAC policy miner should becapable of handling a reasonable amount of noise tobe applicable to real-world applications.
β’ Last but not the least, the existing approaches do notinclude techniques for improving the mined policyafter the first round of policy extraction. In addition,in scenarios where the authorization policies maychange over time (such as in social networks withaddition and removal of various applications), theseapproaches do not provide any guidelines for adjust-ing the policy. This makes practical deployment ofthese approaches very difficult.
Furthermore, none of the existing work addresses theseissues in an integrated way. In this paper, we proposea machine learning based ABAC policy mining approachto address these challenges. To summarize, the primarycontributions of this paper are as follows:
1) We propose an unsupervised learning based ap-proach to extract ABAC policy rules that containboth positive and negative attribute filters as wellas positive and negative relation conditions.
2) The proposed policy mining approach is effectiveeven with an incomplete set of access logs and inpresence of noise.
3) As part of the unsupervised learning based ap-proach, we propose the rule pruning and policyrefinement algorithms to enhance the quality of themined policy and to ease its maintenance.
4) We propose a policy quality metric based on policycorrectness and conciseness to be able to comparedifferent sets of mined policy rules and to select thebest one based on some given criteria.
5) We implement a prototype of the proposed modeland evaluate it using various ABAC policies toshow its efficiency and effectiveness.
To the best of our knowledge, our proposed approach isthe first unsupervised learning based ABAC policy miningmethod that can be used to extract ABAC policies with bothpositive and negative attribute and relationship filters.
The rest of the paper is organized as follows. In Section2, we overview the ABAC model and its policy language as
well as the unsupervised learning algorithm. In Section 3,we define the ABAC policy extraction problem, discuss therelated challenges, and introduce the metrics for evaluatingthe extracted policy. In Section 4, we present the proposedABAC policy extraction approach. In Section 5, we presentthe evaluation of the proposed approach on various sets ofpolicies. We present the related work in Section 6 and theconclusions and future work in Section 8.
2 PRELIMINARIES
In this section, we overview ABAC, the ABAC policy lan-guage, and the unsupervised learning algorithm.
2.1 ABAC ModelIn 2013, NIST published a βGuide to ABAC Definition andConsideration" [9], according to which, βthe ABAC engine canmake an access control decision based on the assigned attributesof the requester, the assigned attributes of the object, environmentconditions, and a set of policies that are specified in terms of thoseattributes and conditions.β Throughout the paper, we use userattributes, object attributes, and session attributes to refer to theattributes of the requester, attributes of the object, and theenvironmental attributes/conditions, respectively.
Accordingly, π, π, π, ππ are sets of users, objects,sessions, and operations in a system and user attributes(π΄π’), object attributes (π΄π), and session attributes (π΄π ) aremappings of subject attributes, object attributes, and en-vironmental attributes as defined in the NIST Guide [9].πΈ = π βͺ π βͺ π and π΄ = π΄π’ βͺ π΄π βͺ π΄π are the sets of allentities and all attributes in the system, respectively.Definition 1. (Attribute Range). Given an attribute π β π΄,
the attribute range ππ is the set of all valid values for π inthe system.
Definition 2. (Attribute Function). Given an entity π β πΈ ,an attribute function ππ_π is a function that maps an entityto a specific value from the attribute range. Specifically,ππ_π (π, π) returns the value of attribute π for entity π.
Example 1. ππ_π (π½πβπ, πππ ππ‘πππ) = faculty indicates that thevalue of attribute position for user John is faculty.
Example 2. ππ_π (πππ1, πππ ) = {ππ 101, ππ 601, ππ 602} indicatesthat the value of attribute crs for object dep1 is a set{ππ 101, ππ 601, ππ 602}.Each attribute in the system can be a single-valued
(atomic) or multi-valued (set). In Example 1 position is asingle-valued attribute while crs is a multi-valued attributein Example 2. For simplicity, we consider only atomic at-tributes in this work. Actually, the process of extractingABAC policy with multi-valued attributes is exactly thesame as that with atomic attributes, however, we need topre-process data to convert each multi-valued attribute toa set of atomic attributes. This can be done using varioustechniques such as defining dummy variables [20], 1-of-πΎscheme [21], etc. At the end of the process and when policyrules are extracted, we need one more step to convert backatomic attribute filters to the corresponding multi-valuedattribute filters.
Attribute filters are used to denote the sets of users,objects, and sessions to which an authorization rule applies.
3
Definition 3. (Attribute Filter). An attribute filter is definedas a set of tuples F = {γπ, π£ |!π£γ| π β π΄ and π£ β ππ}. Hereγπ, π£γ is a positive attribute filter tuple that indicates πhas value π£, and γπ, !π£γ is a negative attribute filter tuplethat indicates π has any value in its range except π£.
Example 3. Tuple γπππππ, !π‘ππ-π πππππ‘γ points to all entities inthe system that do not have βtop-secret" as their securitylabel βlabel".
Definition 4. (Attribute Filter Satisfaction). An entity π β πΈsatisfies an attribute filter F , denoted as π |= F , iff
βγππ , π£πγ β F : ππ_π (π, ππ) = π£π β§βγππ , !π£πγ β F : ππ_π (π, ππ) β π£π .
Example 4. Suppose π΄π’ = {ππππ‘, πππ ππ‘πππ, πππ’ππ ππ }. The setof tuples FU = {γππππ‘, πΆπγ, γπππ ππ‘πππ, ππππγ} denotes auser attribute filter. Here, the graduate students in theCS department satisfy FU .
Definition 5. (Relation Condition). A relation condition isdefined as a set of tuples R = {γπ, π |!πγ| π, π β π΄ β§ π β
π}. Here γπ, πγ is a positive relation condition tuple thatindicates π and π have the same values, and γπ, !πγ is anegative relation condition tuple that indicates π and π
do not have the same values.
A relation is used in a rule to denote the equality con-dition between two attributes of users, objects, or sessions.Note that the two attributes in the relation condition musthave the same range.Definition 6. (Relation Condition Satisfaction). An entity
π β πΈ satisfies a relation condition R, denoted as π |= R,iff
βγππ , ππγ β R : ππ_π (π, ππ) = ππ_π (π, ππ)βγππ , !ππγ β R : ππ_π (π, ππ) β ππ_π (π, ππ).
Definition 7. (Access Request). An access request is a tupleπ = γπ’, π, π , ππγ where user π’ β π sends a request to thesystem to perform operation ππ β ππ on object π β π insession π β π.
Definition 8. (Authorization Tuple/Access Log). An autho-rization tuple is a tuple π‘ = γπ, πγ containing decisionπ made by the access control system for request π. AnAccess Log L is a set of such tuples.
The decision π of an authorization tuple can be permitor deny. The tuple with permit decision means that user π’can perform an operation ππ on an object π in session π .The authorization tuple with deny decision means that userπ’ cannot perform operation ππ on object π in session π .
Access log is a union of Positive Access Log, L+, andNegative Access Log, Lβ, where:
L+ = {γπ, πγ|γπ, πγ β L β§ π = ππππππ‘},
andLβ = {γπ, πγ|γπ, πγ β L β§ π = ππππ¦}.
Definition 9. (ABAC Rule). An access rule π is a tupleγF ,R, ππ |!ππγ, where F is an attribute filter, R is a re-lation condition, and ππ is an operation. !ππ is a negatedoperation that indicates the operation can have any valueexcept ππ.
Example 5. Consider rule π1 = γ{γπππ ππ‘πππ, π π‘π’ππππ‘γ,γπππππ‘πππ, πππππ’π γ, γπ‘π¦ππ, πππ‘ππππγ}, {γππππ‘π’ , ππππ‘πγ},ππππγ. It can be interpreted as βA student can read anarticle if he/she is on campus and his/her department matchesthe department of the article".
Definition 10. (Rule Satisfaction) An access request π =
γπ’, π, π , ππγ is said to satisfy a rule π, denoted as π |= π,iff
γπ’, π, π γ |= F β§ γπ’, π, π γ |= R β§ πππ = πππ .
Definition 11. (ABAC Policy). An ABAC policy is a tupleπ = γπΈ,ππ, π΄, ππ_π,Pγ where πΈ , ππ, π΄, and P are setsof entities, operations, attributes, and ABAC rules in thesystem and ππ_π is the attribute function.
Definition 12. (ABAC Policy Decision). The decision of anABAC policy π for an access request π denoted as ππ (π)is permit iff:
βπ β π : π |= π
otherwise, the decision is deny.
If an access request satisfies a rule of the access controlpolicy, then the decision of the system for such accessrequest is permit. If the access request does not satisfy anyrule in the access control policy then the decision of thesystem for such access request is deny.
TABLE 1 summarizes the notations used in this paper.
2.2 Unsupervised Learning AlgorithmUnsupervised learning algorithms try to infer a functionthat describes the structure of unlabeled data. They areuseful when no or very few labeled data is available. Weleverage such methods for extracting ABAC policies fromaccess logs.
In particular, given a set of authorization tuples, weemploy an unsupervised learning approach to mine andextract an ABAC policy that has high quality. An unsu-pervised learning approach is suitable because there is nolabeled data available for desired ABAC rules. ABAC policyextraction, in this case, can be considered as a mappingbetween authorization tuples to a set of clusters that arerepresentative of the desired ABAC rules. Such a mappingcan be expressed as a function, β : X β Y, where:
1) X is a set of authorization tuples (i.e., access log).2) Y is a set of numbered labels (i.e., cluster labels,
each cluster corresponding to a rule of the ABACpolicy π).
The goal is then to learn the function β with low cluster-ing error and mine the desired policy that is high quality.
3 PROBLEM DEFINITION
3.1 ABAC Policy Extraction ProblemAlthough organizations are interested in employing anABAC model, adopting it is a big challenge for them.The manual development of such a policy is tedious anderror-prone. Policy Mining techniques have been proposedto address such challenges in order to reduce the cost,time, and error of policy development/maintenance. ABACpolicy mining algorithms ease the migration to the ABAC
4
TABLE 1: Notations
Notation Definition
π ,π, π, ππ Sets of users, objects, sessions, and operationsπ΄π’ , π΄π , and π΄π Sets of user attributes, object attributes, and session attributesπΈ =π βͺπ βͺ π Set of all entities
π΄ = π΄π’ βͺ π΄π βͺ π΄π Set of all attributesππ Attribute Range: set of all valid values for π β π΄
ππ_π (π, π) Attribute Function: a function that maps an entity π β πΈ to a value from ππ
F = { γπ, π£ |!π£ γ | π β π΄β§ π£ β ππ } Attribute FilterR = { γπ, πγ | π, π β π΄β§ π β π β§ ππ = ππ } Relation Condition
π = γπ’, π, π , ππγ Access Requestπ‘ = γπ, πγ Authorization Tuple, showing decision π made by the system for request πL Access Log, set of authorization tuples
L+ = { γπ, πγ | γπ, πγ β L β§ π = ππππππ‘ } Positive Access LogLβ = { γπ, πγ | γπ, πγ β L β§ π = ππππ¦ } Negative Access Log
π = γF, R, ππ |!ππγ ABAC RuleP Set of all policy rules
π = γπΈ, ππ, π΄, ππ_π , Pγ ABAC Policyππ (π) The decision of an ABAC policy π for an access request π
π ππ |L , πΉππ |L , π ππ |L , and πΉππ |L Relative True Positive, False Positive, True Negative, and False Negative Ratesπ΄πΆπΆπ |L Relative Accuracy Rate
πΉ -π πππππ |L Relative F-scoreπππΆ (π) Weighted Structural Complexity of policy π
Qπ Policy Quality Metric
framework by completely (or partially) automating the de-velopment of ABAC policy rules.
The primary input to a policy mining algorithm is the logof authorization decisions in the system. The log indicatesauthorization decision (i.e., permit or deny) for any givenaccess request by a user of the system. For ABAC policymining, such a log is accompanied by attributes of entitiesinvolved in the log entries. The goal of a policy miningalgorithm is to extract ABAC policy rules from access logsthat have high quality with respect to some quality metrics(e.g., policy size and correctness).
We define the ABAC policy extraction problem formallyas follows:Definition 13. (ABAC Policy Extraction Problem). Let
πΌ =< πΈ,ππ, π΄, ππ_π,L >, where the components are asdefined earlier, then the ABAC policy extraction problemis to find a set of rules R such that the ABAC policyπ =< πΈ,ππ, π΄, ππ_π,R > has high quality with respect toL.
3.2 Challenges and Requirements
For an ABAC policy extraction approach to be applicableto a wide range of real-world scenarios, we identify thefollowing challenges and requirements:
1) Correctness of Mined Policy: The mined policy mustbe consistent with original authorization log in thatthe access decision of the mined policy must resultin the same access decision of the log entry. Aninconsistent extracted policy may result in situationsin which an originally authorized access is denied(more restrictive) or originally unauthorized access ispermitted (less restrictive) by the system.
2) Complexity of Mined Policy: The policy mining algo-rithm should endeavor to extracting a policy that isas concise as possible. Since the policy rules need tobe manipulated by human administrators, the moreconcise they are, the more manageable and easier to
interpret they would be. In addition, succinct rulesare desirable as they are easier to audit and manage.
3) Negative Attribute Filters: The ABAC policy miningsolution should support both positive and negativeattribute filters which will result in more conciseand manageable mined policy.
4) Relation Conditions: The solution should support theextraction of relation conditions for policy miningin order to generate more concise and manageablemined policy.
5) Sparse Logs: In real-world, the access log that isinput to the policy mining algorithm may be sparse,representing only a small fraction of all possibleaccess requests. The policy mining algorithm mustbe able to extract useful rules even from a sparselog.
6) Mining Negative Authorization Rules: An ABAC pol-icy can contain both positive and negative ruleswhich permit or deny access requests, respectively.The use of negative rules is helpful in situationswhere specifying exceptions to more general rulesis important. Including negative policy rules wouldhelp in generating a more concise ABAC policy.Thus, the policy mining algorithm should be ableto extract both positive and negative authorizationrules.
7) Noisy Authorization Log: In the real world and withcomplex and dynamic information systems, it ispossible to have a noisy authorization log consistingof over-assignments and under-assignments. Theseissues occur either due to a wrong configurationof the original authorization system or improperpolicy updates by administrators. The policy miningalgorithm should be capable of extracting meaning-ful rules even in presence of an acceptable amountof noise in the input access log.
8) Dynamic and Evolving Policies: Modern informationsystems are often dynamic. The authorization needs
5
of these systems and the attributes of the entities inthe environment evolve rapidly. These changes willresult in over-assignments or under-assignments.The proposed method should employ a mechanismto support the dynamicity of the information sys-tems and their authorization policies and ease themaintenance of evolving systems.
Our proposed approach addresses all the requirementsexcept the sixth one. Table 2 shows the challenges that areaddressed by our proposed approach and how it improvesupon the state-of-the-art policy mining techniques. In Sec-tion 6, we discuss the existing solutions in details.
3.3 Evaluation Metrics
One of the main metrics for evaluating the quality of anextracted policy is how accurately it matches the originalpolicy. That means the authorization decisions made by theextracted policy for a set of access requests should be similarto the decisions made by the original policy for that set ofrequests. As an example, if the decision of the original policyfor an access request π is permit, then the decision of themined policy for the same access request must be permitas well. If the mined policy denies the same access request,then we record this authorization tuple as a False Negative.We define Relative True Positive, Relative False Positive, RelativeTrue Negative, and Relative False Negative rates, respectively,as follows:Definition 14. (Relative True Positive Rate). Given an access
log L and an ABAC policy π, the relative true positiverate of π regarding L denoted as πππ |L is the portion ofpositive access logs for which the decision of π is permit:
πππ |L =|{γπ, πγ β L+ |ππ (π) = ππππππ‘}|
|L+ |Here, |π | is the cardinality of set π .
Definition 15. (Relative False Positive Rate). The relativefalse positive rate of π regarding L denoted as πΉππ |L isthe portion of negative access logs for which the decisionof π is permit:
πΉππ |L =|{γπ, πγ β Lβ |ππ (π) = ππππππ‘}|
|Lβ |
Similarly, we calculate the relative true negative rate andfalse negative rate of π regarding L, denoted as πππ |L andπΉππ |L , respectively, as follows:
πππ |L =|{γπ, πγ β Lβ |ππ (π) = ππππ¦}|
|Lβ |
πΉππ |L =|{γπ, πγ β L+ |ππ (π) = ππππ¦}|
|L+ |The relative precision and relative recall are calculated as
follows:
ππππππ ππππ |L =πππ |L
πππ |L + πΉππ |L
π ππππππ |L =πππ |L
πππ |L + πΉππ |L
The relative accuracy metric, π΄πΆπΆπ |L , measures the ac-curacy of mined policy π with regards to the decisions madeby the original policy indicated by L and is defined formallyas follows:
Definition 16. (Relative Accuracy). Given the relative truepositive and negative rates, the relative accuracy of πregarding L denoted as π΄πΆπΆπ |L is calculated as follows:
π΄πΆπΆπ |L =πππ |L + πππ |L
πππ |L + πππ |L + πΉππ |L + πΉππ |L
As accuracy may be misleading in unbalanced data sets[22] (which is very probable in case of access logs), we userelative F-score to better evaluate the mined policy:
πΉ-π πππππ |L = 2 Β·ππππππ ππππ |L Β· π ππππππ |Lππππππ ππππ |L + π ππππππ |L
Policies with higher relative F-score are better as they aremore consistent with the original access log.
On the other hand, as the number of filters in each ruleand the number of rules in an access control policy increases,policy intelligibility would decrease and maintenance of thepolicy would become harder. Hence, complexity is anotherkey metric for evaluating the quality of a policy.
Weighted Structural Complexity (WSC) is a general-ization of policy size and was first introduced for RBACpolicies [23] and later extended for ABAC policies [15]. WSCis consistent with usability studies of access control rules,which indicates that the more concise the policies are themore manageable they become [24]. Informally, for a givenABAC policy, its WSC is a weighted sum of its elements.Formally, for an ABAC policy π with rules P, its WSC isdefined as follows:
πππΆ (π) = πππΆ (P)
πππΆ (P) =βοΈπβP
πππΆ (π)
πππΆ (π = γFU , FO , FS ,R, ππ, πγ) = π€1πππΆ (FU)+π€2πππΆ (FO) + π€3πππΆ (FS) + π€4πππΆ (R)
βπ β {FU , FO , FS ,R} : πππΆ (π ) =βοΈ|π |
where |π | is the cardinality of set π and each π€π is a user-specified weight.
Van Rijsbergen proposes an effectiveness measure forcombining two different metrics π and π in [25] as follows :
πΈ = 1 β 1πΌ
π+ 1 β πΌ
π
Given relative F-score and WSC measures for variousmined policies resulting from running different mining al-gorithms over access log, it may not be straightforward toselect the best algorithm and, hence, the mined policy withthe highest quality. So, to be able to compare the quality ofdifferent mined ABAC policies, we combine the two metricsbased on Van Rijsbergenβs effectiveness measure [25] anddefine the Policy Quality Metric as follows:
6
TABLE 2: State-of-the-art ABAC Rule Mining Techniques
Xu et al. [15] Medvet et al. [16] Iyer et. al [17] Cotrini et al. [18] Our Proposed Approach
Policy Correctness X X X X XPolicy Complexity X X X X XNegative Attribute Filters 7 7 7 7 XRelation Conditions X X X 7 XSparse Logs 7 X 7 X XNegative Authorization Rules 7 7 X 7 7Noisy Authorization Log X 7 7 7 XSystem Dynamicity 7 7 7 7 X
Qπ = ( πΌ
πΉ-π πππππ |L+ 1 β πΌΞπππΆπ
)β1
Here πΌ =1
1 + π½2 where π½ determines the importance of
relative F-score over policy complexity and ΞπππΆπ showsthe relative reduction in the complexity with regards to thecomplexity of the most complex mined policy. ΞπππΆπ iscalculated as follows:
ΞπππΆπ =πππΆπππ₯ βπππΆ (π) + 1
πππΆπππ₯
πππΆπππ₯ is the weighted structural complexity of the mostcomplex mined policy.Definition 17. (Most Complex Mined Policy). The most
complex mined policy is the mined policy with thehighest weighted structural complexity. It is extracted byiterating through positive access log L+ and adding anaccess control rule for each authorization tuple if itβs notalready included in the mined policy. The correspondingrule for each authorization tuple includes all attributesof user, object, and subject of that authorization tuple.
Considering the equal importance of relative F-score andrelative loss of complexity of the policy, we calculate thequality measure as follows:
Qπ =2 Β· πΉ-π πππππ |L Β· ΞπππΆπ
πΉ-π πππππ |L + ΞπππΆπ
A mined policy with a higher F-score would have ahigher policy quality. On the other hand, as the complexityof a policy increases, its quality will decrease. The intuitionhere is that once an extracted policy reaches a high F-score,adding additional rules will lead to a decrease in Qπ .
For the most complex mined policy ππ€ , ΞπππΆππ€ β 0,so its policy quality Qππ€ is very close to zero. For anempty mined policy ππ (a policy without any rule), whileΞπππΆππ β 1, as it denies all the access requests, its falsenegative rate is one and its true positive rate is zero. So itsprecision is zero and as a result, its F-score is zero as well.So the quality of the empty policy Qππ is zero, too.
The most complex mined policy and the empty minedpolicy are the two extreme cases with policy quality equalto zero. Other mined policies between these two cases havehigher policy quality than zero.
4 THE PROPOSED LEARNING-BASED APPROACH
Our proposed learning-based ABAC policy extraction pro-cedure consists of the steps summarized in Figure 1.
1. Data Pre-processing
Handling missingvalues, Converting tocategorical values 2. Parameter Tuning
Finding best number of clusters,best cluster initialization, andappropriate thresholds
3. Clustering
Clustering data usingk-mean/k-modealgorithm
4. Rule Extraction
Finding effectiveattributes andrelations, BuildingRules
5. Rule Pruning
Removing duplicaterules, Finding similarrules and eliminatingthem
6. Policy Refinement
Refining policy rulesbased on FP and FNrecords
Fig. 1: Overview of the Proposed Approach.
4.1 Data Pre-processingAs features of our learning algorithm are categorical vari-ables, the first step in pre-processing the access log isto convert all numerical variables to their correspondingcategorical values. For example, in ABAC, environmentalattributes deal with time, location or dynamic aspects of theaccess control scenario. Hence, we need to pre-process anddiscretize such continuous variables to categorical ones (e.g.time of access to working hours and non working hours) soour proposed algorithm is applicable to them.
We also need to handle missing values in this step. Asthe frequency of each attribute value is an important factorin our rule extraction algorithm (Section 4.4) for decidingif an attribute is effective or not, it is important to replacemissing values in a way that it doesnβt mess up with theoriginal frequency of each attribute value. For this purpose,we replace each missing value by UNK (i.e., unknown).
4.2 Selection of Learning AlgorithmWe use the K-modes algorithm [26], which is a well knownunsupervised learning algorithm used for clustering cate-gorical data. K-modes has been proved effective in miningABAC policies [27]; this algorithm uses an initializationmethod based on both the distance between data pointsand the density of data points. Using both density anddistance when initializing clusters help avoid two problems:(i) clustering outliers as new clusters are based only on thedistances; and (ii) creating new clusters surrounding onecenter based only on the density. Compared to a random
7
initialization method, this method provides more robustnessand better accuracy in the clustering process [26].
4.3 Parameter TuningIn the next step, we tune the learning parameters. There areseveral challenges that need to be addressed in this step,which include the following:
4.3.1 Number of Clusters (k)One of the main challenges in an unsupervised learningis determining the number of clusters, π . In our samplepolicies, as we know the number of rules in each policy,we can set the number of clusters beforehand but in areal situation as we do not know the size of the rules inadvance, making the correct choice of π is difficult. One ofthe popular methods for determining the number of clustersin an unsupervised learning model is the Elbow Method [28],[29]. This method is based on total within group sum ofsquares. π will be chosen as the number of clusters if addinganother cluster doesnβt give much better modeling of thedata (i.e., the elbow point of the graph).
As a second approach, we choose a number of clusters(π) which gives the best modeling of the data in terms of thepolicy quality metric. For this purpose, we run our clusteringalgorithm for different values of π and calculate the accuracyof the corresponding model using 10-fold cross-validation.The value of π that maximizes the accuracy of the model isselected as the final number of clusters.
Note that increasing π will ultimately reduce the amountof clustering error or it will increase the accuracy of themodel, but by increasing the number of clusters, the num-ber of extracted rules will also increase resulting in morecomplexity (i.e., higher WSC). So it is important to find anoptimal π that balances between policy accuracy and WSC.
4.3.2 Cluster Initialization & Local OptimaDifferent cluster initializations can lead to a different setof clusters as k-means/k-modes may converge to a localoptima. To overcome this issue, for a given number ofclusters, π , we train multiple models with different clusterinitializations and then select the partition with the smallestclustering error.
4.4 Policy Rules ExtractionThe main phase in our proposed approach is the extractionof ABAC policy rules. In the first step, we need to collect allthe authorization tuples related to each rule of the policy. Weuse data clustering for this purpose. We divide the access loginto clusters where the records in each cluster correspond toone AC rule in the system. This is done based on findingsimilar patterns between features (i.e., attribute values) ofthe records (i.e., access control tuples). In the second step,we extract the attribute filters of such a rule. We adapt therule extraction algorithm in [27] and extend it to extract bothpositive and negative attribute filters. We define effectivepositive attribute and effective negative attribute as follows:Definition 18. (Effective Positive (Negative) Attribute). Let
π = {γπ, π£γ} be the set of all possible attribute-value pairsin a system; we define γπ π , π£ πγ β π (γπ π , !π£ πγ β π) as an
effective positive (negative) attribute pair of ππ correspond-ing to cluster πΆπ , where the frequency of occurrence of π£ πin the set of all the records of cluster πΆπ is much higher(lower) than its frequency of occurrence in the originaldata; this is determined based on a threshold Tπ (Tπ ).The attribute expression γπ π , π£ πγ (γπ π , !π£ πγ) is added tothe attribute filters of the extracted rule ππ for πΆπ .
In the final step, we extract the relation conditions forAC rules for each cluster. This will be done based on thefrequency of equality between pairs of attributes in therecords of each cluster. We define effective positive relationand effective negative relation as follows:
Definition 19. (Effective Positive (Negative) Relation). Letπ = {γπ, πγ} be the set of all possible relations betweenpairs of attributes in the system; we define γπ π , π πγ asan effective positive (negative) relation pairs of ππ cor-responding to cluster πΆπ , where the frequency of π π
equals π π in all the records of cluster πΆπ is much higher(lower) than their frequency in the original data; this isdetermined based on a threshold \π (\π ). The relationγπ π , π πγ (γπ π , !π πγ) is added to the relation conditions ofthe extracted rule ππ for this cluster.
We note that the values of the thresholds Tπ , Tπ , \π ,and \π will be different for each data set. To find thebest threshold values for each data set, we run the ruleextraction algorithm for different values of thresholds, andthe values which result in the maximum accuracy over thecross-validation data set will be selected.
Algorithms 1 and 2 show effective attribute and effectiverelation extraction procedures, respectively.
Algorithm 1 Effective attribute extraction algorithm
1: procedure EXTRACTATTRIBUTEFILTERSInput: πΆπ , π΄, π , L, Tπ , TπOutput: F
2: F β β 3: for all π β π΄ do4: for all π£ π β ππ do5: if πΉπππ(π£ π , πΆπ) β πΉπππ(π£ π ,L) > Tπ then6: F π β F βͺ γπ, π£ πγ7: end if8: if πΉπππ(π£ π ,L) β πΉπππ(π£ π , πΆπ) > Tπ then9: F π β F βͺ γπ, !π£ πγ
10: end if11: end for12: end for
return ππ13: end procedure
4.5 Policy Enhancement
After the first phase of policy rule extraction, we get a policywhich may not be as accurate and concise as we desire. Weenhance the quality of the mined policy through iterationsof policy improvement steps that include: rule pruning andpolicy refinement.
8
Algorithm 2 Effective relation extraction algorithm
1: procedure EXTRACTRELATIONSInput: πΆπ , π΄, L, \π , \πOutput: R
2: R β β 3: for all π β π΄ do4: for all π β π΄ and π β π do5: if πΉπππ(π = π, πΆπ) - πΉπππ(π = π,L)>\π then6: R β R βͺ γπ, πγ7: end if8: if πΉπππ(π = π,L) - πΉπππ(π = π, πΆπ)>\π then9: R β R βͺ γπ, !πγ
10: end if11: end for12: end for
return R13: end procedure
4.5.1 Rule PruningDuring the rule extraction phase, itβs possible to have twoclusters that correspond to the same rule. As a result, theextracted rules of these clusters are very similar to eachother. Having two similar rules in the final policy increasesthe complexity of the mined policy while it may not helpthe accuracy of the policy and as a result, it hurts the policyquality. To address such an issue, in the rule pruning step,we identify similar rules and eliminate the ones whoseremoval improves the policy quality more. If eliminatingneither of the two rules improves the policy quality, wekeep both the rules. This may happen when we have twovery similar AC rules in the original policy. We measure thesimilarity between two rules using Jaccard similarity [30] asfollows:
π½ (π1, π2) = |π1 β© π2 |/|π1 βͺ π2 |Based on this, we calculate the similarity between two
rules π1 and π2 as follows:
π½ (π1, π2) =[ βFβ{FU ,FO ,FS }
|Fπ1 β© Fπ2 | + |Rπ1 β© Rπ2 | + |πππ1 β© πππ2 |]
[ βFβ{FU ,FO ,FS }
|Fπ1 βͺ Fπ2 | + |Rπ1 βͺ Rπ2 | + |πππ1 βͺ πππ2 |]
We consider two rules to be similar if their Jaccardsimilarity score is more than 0.5, which means that the sizeof their common elements is more than half of the size of theunion of their elements. Algorithm 3 shows the rule pruningprocedure.
4.5.2 Policy RefinementDuring the rule extraction phase, it is possible to extractrules that are either too restricted or too relaxed comparedto the original policy rules. A rule is restricted if it employsmore filters than the original rule.Example 6. Consider the following two rules:
π1 = γ{(πππ ππ‘πππ, π πππ’ππ‘π¦)},{(π‘π¦ππ, πππππππππ)},{π ππ‘πππππ}, ππππππ‘γ
π2 = γ{(πππ ππ‘πππ, π πππ’ππ‘π¦),(π’π·πππ‘, πΈπΈ)},{(π‘π¦ππ, πππππππππ)},{π ππ‘πππππ}, ππππππ‘γ
Algorithm 3 Rule Pruning algorithm
1: procedure RULEPRUNINGInput: πOutput: π
2: P β π.P3: π β CALCQUALITY(P)4: for all ππ β P do5: for all π π β P and ππ β π π do6: if SIMILARITY(ππ , π π ) > 0.5 then7: Pπ β P/ππ8: P π β P/π π
9: ππ β CALCQUALITY(Pπ)10: π π β CALCQUALITY(P π )11: if ππ >= π and ππ >= π π then12: P β Pπ13: end if14: if π π >= π and π π >= ππ then15: P β P π
16: end if17: end if18: end for19: end for
return P20: end procedure
Here π2 is more restricted than π1 as it imposes moreconditions on the user attributes.
Having such a restricted rule in the mined policy wouldresult in a larger number of FNs as an access request thatwould be permitted by the original rule will be denied bythe restricted rule.
On the other hand, an extracted rule is more relaxedcompared to the original rule if it misses some of the filters.In Example 6, π1 is more relaxed than π2. Such a relaxed rulewould result in more FPs as it permits access requests thatshould be denied as per the original policies.
To address these issues, we propose a policy refinementprocedure which is shown in Algorithm 4. Here, we tryto refine the mined policy (ππ) based on the patterns dis-covered in the FN or FP records. These patterns are usedto eliminate extra filters from restricted rules or appendmissing filters to relax the rules.
To extract patterns from the FN or FP records, we applyour rule extraction procedure on these records to get the cor-responding policies ππΉπ and ππΉπ . Here our training data areFN and FP records, respectively. We compare the extractedFN or FP rules with the mined policy and remove the extrafilters or append the missed ones to the corresponding rules.As an example, consider the FP records. Here, our goalis to extract the patterns that are common between accessrequests that were permitted based on the mined policywhile they should have been denied based on the originalpolicy.
In each step of refinement, a rule from ππ that is similarto a rule from ππΉπ or ππΉπ based on the Jaccard similarity(Section 4.5.1) is selected and then refined in two ways asdiscussed below.
Policy refinement based on ππΉπ : In the case of FN records,two situations are possible: a rule is missing from the mined
9
policy (ππ) or one of the rules in ππ is more restrictive. Toresolve this issue, for each rule ππ β ππΉπ :
β’ if there is a similar rule π π β ππ then we refine π π asfollows:
β π β F : Fπ π= Fπ π
/(Fπ π/Fππ)
where F = FU βͺ FO βͺ FS βͺ R. So, the extra filters areremoved from the restricted rule (π π ).
β’ if there is no such rule, then ππ is the missing rule andwe add it to ππ.
Policy refinement based on ππΉπ : In the case of FP records,some filters might be missing in an extracted rule in themined policy (ππ); so for each rule ππ β ππΉπ , we refine themined policy as follows:
β π β F : Fπ π= Fπ π
βͺ (Fππ/Fπ π)
where F = FUβͺFOβͺFSβͺR includes all the filters in the rule.So, the missing filters are added to the relaxed rule (π π ).
These refinements can be done in multiple iterationsuntil further refinement does not give a better model interms of policy quality Qπ .
Algorithm 4 Policy refinement algorithm
1: procedure REFINEPOLICYInput: π΄, LOutput: ππ
2: FN β GETFNS(ππ,L)3: ππΉπ β EXTRACTPOLICY(FN)4: for all ππ β ππΉπ .P do5: π π β GETSIMILARRULES(ππΉπ .P, ππ.P)6: if |π π | = 0 then7: ππ.P β ππ.P βͺ ππ8: else9: for all π π β π π do
10: for all F β FU βͺ FO βͺ FS βͺ R do11: Fπ π
β Fπ π\(Fπ π
\Fππ )12: end for13: end for14: end if15: end for16: FP β GETFPS(ππ,L)17: ππΉπ β EXTRACTPOLICY(F P)18: for all ππ β ππΉπ .P do19: π π β GETSIMILARRULES(ππΉπ .P, ππ.P)20: if |π π | ! = 0 then21: for all π π β π π do22: for all F β FU βͺ FO βͺ FS βͺ R do23: Fπ π
β Fπ πβͺ (Fππ\Fπ π
)24: end for25: end for26: end if27: end for
return ππ28: end procedure
5 EXPERIMENTAL EVALUATION
We have implemented a prototype of our proposed ap-proach presented in Section 4. Here, we present our experi-mental evaluation.
5.1 Datasets
We perform our experiments on multiple datasets includingsynthesized and real ones. The synthesized access logs aregenerated from two sets of ABAC policies. The first one isa manually written set of policies that is adapted from [15]to be compatible with our policy language. The second oneincludes a completely randomly generated set of policies. Tosynthesize our input data, for each ABAC policy (i.e., Uni-versity Policy, Healthcare Policy, etc.), a set of authorizationtuples is generated and the outcome of the ABAC policy foreach access right is evaluated. The authorization tuples withpermit as their outcomes are the inputs to our unsupervisedlearning model.
Our real datasets are built from access logs provided byAmazon in Kaggle competition [31] and available in the UCImachine learning repository [32].
Manual Policy - University: This policy is adapted from[15] and it controls access of different users including stu-dents, instructors, teaching assistants, etc., to various objects(applications, gradebooks, etc.).
Manual Policy - Healthcare: This policy is adapted from[15] and is used to control access by different users (e.g.nurses, doctors, etc.) to electronic health records (EHRs) andEHR items.
Manual Policy - Project Management: This policy isadapted from [15] and it controls access by different users(e.g. department managers, project leaders, employees, etc.)to various objects (e.g. budgets,schedules and tasks).
Random Policies: The authorization rules for this policyis generated completely randomly from random sets ofattributes and attribute values. These randomly generatedpolicies provide an opportunity to evaluate our proposedalgorithm on access logs with various sizes and with vary-ing structural characteristics. However, we note that, theperformance of our algorithm on random policies might notbe representative of its performance in real scenarios andover real policies.
Real Dataset - Amazon Kaggle: The Kaggle competitiondataset [31] includes access requests made by Amazonβsemployees over two years. Each record in this dataset de-scribes an employeeβs request to a resource and whetherthe request was authorized or not. A record consists of theemployeeβs attribute values and the resource identifier. Thedataset includes more than 12,000 users and 7,000 resources.
Real Dataset - Amazon UCI: This dataset is providedby Amazon in the UCI machine learning repository [32].It includes more than 36,000 users and 27,000 permissions.Since the dataset contains over 33,000 attributes, our focusin this experiment is narrowed only to the most requested 8permissions in the dataset.
Partial Datasets: To check the efficiency of the proposedalgorithm over sparse datasets, we generate sparse datasets(partial datasets) by randomly selecting authorization tu-ples from the complete dataset. For example, a 10% sparse(partial) dataset is generated by randomly selecting 10% oftuples from the complete access logs.
Noisy Datasets: To check the efficiency of the proposedalgorithm over noisy datasets, we generate noisy datasetsby randomly reversing the decision of authorization tuples.For instance, a 10% noisy dataset is generated by randomly
10
TABLE 3: Details of the Synthesized and Real Policies
# π |P | |π΄| |π | |L | |L+ | |Lβ |
π1 UniversityP 10 11 45 2,700K 231K 2,468Kπ2 HealthcareP 9 13 40 982K 229K 753Kπ3 ProjectManagementP 11 14 44 5,900K 505K 5,373Kπ4 UniversityPN 10 11 45 2,700K 735K 1,964Kπ5 HealthcarePN 9 13 40 982K 269K 713Kπ6 ProjectManagementPN 11 14 44 5,900K 960K 4,918Kπ7 Random Policy 1 10 8 27 17K 2,742 14Kπ8 Random Policy 2 10 10 48 5,250K 245K 5,004Kπ9 Random Policy 3 10 12 38 560K 100K 459Kπ10 Amazon Kaggle - 10 15K 32K 30K 1897π11 Amazon UCI - 14 7,153 70K 36K 34K
reversing the decision of 10% of authorization tuples in thecomplete access logs.
For each of the manual policies, we consider two differ-ent sets of policy rules; the first one only contains positiveattribute filters and relations while the second one includesboth positive and negative attribute filters and relations. Wehave included these policies in Appendix A.
Table 3 shows the details of the manual and randomaccess log datasets. In this table, |P | shows the number ofrules in the original policy, |π΄| and |π | show the numberof attributes and attribute values and |L|, |L+ |, |Lβ | showthe number of access control tuples, the number of positiveaccess logs, and the number of negative access logs in thegiven dataset, respectively.
5.2 Experimental SetupTo evaluate our proposed method, we use a computer with2.6 GHz Intel Core i7 and 16 GB of RAM. We use Python 3 inthe mining and the evaluation process. The algorithms werehighly time-efficient (e.g., maximum time consumption isless than half an hour).
We use kmodes library [33] for clustering our data. Theinitialization based on density (CAO) [26] is chosen forcluster initialization in kmodes algorithm.
To find optimal π , we apply the Silhouette method totest different values of π . We examine each value of π inpre-defined set [10, 20]. Then the π value that results in thehighest Silhouette score is used in the final model.
To generate the synthesized access log L, we brute forcethrough all attributes π΄ and their values ππ to produceall possible combinations for the tuples. This method wasused to generate a complete access log for the random andmanual policy datasets. We generate two sets of partialdatasets; the 10% partial datasets are used to check theefficiency of the proposed approach over sparse datasets(Table 4) and the 0.1% partial datasets are used to comparethe proposed approach with previous work (Table 5). Wealso generate a set of noisy datasets to check the efficiencyof the proposed algorithm over noisy access log. The resultsof such experiments are reported in Table 4.
For all experiments, the optimal thresholds for selectingeffective attributes and relations are between 0.2 and 0.3.
5.3 ResultsWe first evaluate the performance of our policy miningalgorithm on complete datasets. Table 4 shows the resultsof these experiments.
Our second set of experiments is on partial datasets. Thealgorithm proposed by Xu and Stoller [14] and the approachpresented by Cotrini et al. [18] are not able to handlecomplete datasets as these datasets are huge. To be able tocompare the performance of our proposed algorithm withtheir work, we generated 0.1% sparse (partial) datasets andrun all algorithms over these partial datasets. The results ofthese experiments are shown in Table 5 and Figures 2, 3, and4.
The algorithm proposed by Xu and Stoller [14] and theapproach presented by Cotrini et al. [18] do not generatepolicy rules with negative attribute filters and relations,however we report the results of their algorithms overdatasets related to policy rules including negations (policiesπ4, π5, π6) to show how the quality of mined policies wouldbe impacted if the mining algorithm does not extract rulesthat include negation.
5.3.1 The F-Score of the Mined Policies
Table 4 shows the final πΉ-π πππππ |L of our proposed ap-proach after several rounds of refinement over all completedatasets. As we can see in Table 4, the proposed approachachieves high F-score across all experiments except for π6.π6 is a very complex dataset with both positive and negativeattributes and relation filters including 14 attributes, 44attribute values, and around six million access records. Thefinal policy quality for this dataset is around 0.63, which isacceptable considering the complexity of the policy.
Table 5 and Figure 2 show the comparison of the F-Scores of policies mined by our proposed approach withthat of previous work over partial datasets (with 0.1% ofthe complete datasets). The F-Score of policies mined by ouralgorithm is very close to the one done by the approachproposed by Cotrini et al. [18]. As we can see, our proposedapproach outperforms theirs in half of the experiments.
5.3.2 The Complexity of the Mined Policies
In Table 4, we can see the finalπππΆ of the policies mined byour proposed approach. All extracted policies have the com-plexity lower than 100 which is much lower than those of themost complex policies for individual datasets. According toDefinition 17, the most complex policy for each dataset hasthe same complexity as the original positive access log (L+).Given numbers in Tables 3 and 4, the most complex policiesfor these scenarios are thousands of times more complexthan the extracted policies by our approach.
11
We compare the complexity of the policies mined bydifferent ABAC mining algorithms in Figure 3. Among threedifferent approaches, the Cotrini et al. algorithms extractsthe most complex policies with WSC greater than 1000 forsome cases. The complexity of the policies mined by ouralgorithm is very close to the one extracted by the approachproposed by Xu and Stroller [14].
5.3.3 The Policy Quality of the Mined Policies
Finally, Table 4 shows the quality of the extracted policiesthrough our proposed approach. We can see that out ofall datasets that our proposed algorithm was applied on,around 75% of the cases reached the policy quality of morethan 0.8, which is significant, considering the huge size oforiginal access logs (each more than 30K records).
According to Figure 4, in most cases the policy qualityof the policies mined by our proposed approach is higherthan those of the policies extracted by other ABAC miningalgorithms.
Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11
0
20
40
60
80
100
F-sc
ore
Proposed ApproachXu and Stoller [14]Cotrini et al. [18]
Fig. 2: The F-Score of the Policies Mined by ABAC MiningAlgorithms
Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11
0
500
1000
1500
2000
2500
WSC
Proposed ApproachXu and Stoller [14]Cotrini et al. [18]
Fig. 3: The Complexity of the Policies Mined by ABACMining Algorithms
Partial _1 Partial _2 Partial _3 Partial _4 Partial _5 Partial _6 _10 _11
0.0
0.2
0.4
0.6
0.8
1.0
Polic
y Qu
ality
Proposed ApproachXu and Stoller [14]Cotrini et al. [18]
Fig. 4: The Quality of the Policies Mined by ABAC MiningAlgorithms
6 RELATED WORK
As RBAC approach became popular, many organizationdecided to equip their information systems with more re-cent access control model, however migrating to RBACfrom legacy access control systems was a huge obstacle forsuch environments. As a result, several researchers haveaddressed such a challenge by introducing automated roleextraction algorithms [10], [11], [12], [13], [23], [34], [35], [36],[37], [38], [39]. Role engineering or role mining are the termsthat have been used to refer to procedures to extract anoptimal set of roles given user-permission assignments.
In [10], Kuhlmann and Schimpf try to discover a setof roles from user-permission assignments using clusteringtechniques, however, they do not show the feasibility oftheir proposed approach through experiments. In addition,their proposed approach lacks a metric to choose the bestmodel based on their clustering method.
The ORCA role mining tool is proposed bySchlegelmilch and Steffens and tries to perform ahierarchical clustering on user-permission assignments[11]. Their proposed method limits the hierarchicalstructure to a tree so that each permission/user is assignedto one role in the hierarchy. This feature limits the feasibilityof their proposed approach as, in real environments, rolesdo not necessarily form a tree.
Ni et al. propose a supervised learning approach forrole mining which maps each user-permission assignmentto a role using a supervised classifier (i.e., a support vectormachine (SVM)) [39]. The main limitation of their proposedapproach is that the roles and some parts of the role-permission assignments are needed beforehand; and hence,it is not applicable in many organizations.
Vaidya et al. are the first to define the Role MiningProblem (RMP) formally and analyze its theoretical bounds[40]. They also propose a heuristic approach for findinga minimal set of roles for a given set of user-permissionassignments.
Xu and Stoller are the first to propose an algorithm formining ABAC policies from RBAC [41], logs [14], and accesscontrol list [15] plus attribute information. Their policy min-ing algorithms iterate over access control tuples (generated
12
TABLE 4: Results of Our Proposed Approach on Various Synthesized and Real Policy Datasets
π Total Running Time (s) Optimal π Pπππππ π΄πΆπΆπ |L πΉ -π πππππ |L πππΆππππ πππΆπππππ Qπ
π1 9376.556 15 20 97.5% 83.6% 33 91 0.91Partial π1 (10%) 1994.769 15 13 97.29% 82.21% 33 54 0.90Noisy π1 (10%) 4979.56 10 8 96.94% 80% 33 28 0.90
π2 2180.745 18 18 85.49% 75.93% 33 71 0.86Partial π2 (10%) 4787.98 10 8 96.94% 85.33% 33 28 0.92Noisy π2 (10%) 7339.91 8 15 72.22% 82.13% 33 27 0.90
π3 7795.44 15 17 95.6% 65.63% 44 55 0.80Partial π3 (10%) 1347.29 6 10 95.2% 62.24% 44 56 0.77Noisy π3 (10%) 1912.72 15 15 94.47% 62.66% 44 81 0.77
π4 13662.62 7 16 86.7% 71.58% 33 40 0.83π5 8681.64 15 15 78.11% 62% 33 67 0.76π6 12905.78 20 17 88.05% 46.28% 44 80 0.63π7 24.63 8 20 93% 78.33% 33 65 0.88π8 13081.20 10 14 99.12% 91.28% 33 51 0.95π9 2266.68 8 16 92.17% 79.66% 33 46 0.89π10 265.3 15 20 94% 97% - 44 0.98π11 1010.43 24 25 98.49% 99% - 92 0.82
TABLE 5: Comparison of Our Proposed Approach with Previous Work on Various Synthesizedand Real Policy Datasets
Mining Alg. π Time (s) π΄πΆπΆπ |L πΉ -π πππππ |L PπππππππππΆ (π) Qπ
Xu and Stoller [14] Partial π1 (0.1%) 227 94.74% 65.87% 10 34 0.79Cotrini et al. [18] 126 80.74% 45.3% 132 508 0.58Proposed Approch 7.3 96% 74.2% 7 29 0.85Xu and Stoller [14] Partial π2 (0.1%) 32645 64.43 63.61 3 6 0.78Cotrini et al. [18] 529 72.72% 64% 65 272 0.75Proposed Approch 7.9 79.78% 68.23% 13 49 0.81Xu and Stoller [14] Partial π3 (0.1%) ββ ββ ββ ββ ββ ββCotrini et al. [18] 3587 91.57% 54.124% 24 77 0.70Proposed Approch 11.44 94.96% 51.31% 12 55 0.78Xu and Stoller [14] Partial π4 (0.1%) 4230 73.37% 16.1% 10 34 0.28Cotrini et al. [18] 204 93.55% 88.5% 385 1389 0.86Proposed Approch 15 89.3% 80% 10 40 0.89Xu and Stoller [14] Partial π5 (0.1%) 45348 79.25 73.09 3 6 0.84Cotrini et al. [18] 3587 86.46% 79.2% 123 462 0.83Proposed Approch 8.8 87.2% 76.3% 15 66 0.86Xu and Stoller [14] Partial π6 (0.1%) ββ ββ ββ ββ ββ ββCotrini et al. [18] 2848 82.75% 62.66% 31 100 0.77Proposed Approch 22.67 81.2% 49.4% 12 44 0.66Xu and Stoller [14]
π10ββ ββ ββ ββ ββ ββ
Cotrini et al. [18] 237 84.25% 91.39% 1055 2431 0.92Proposed Approch 265.3 94% 97% 20 44 0.98Xu and Stoller [14]
π11ββ ββ ββ ββ ββ ββ
Cotrini et al. [18] 1345 70.93% 75.64% 466 1247 0.85Proposed Approch 1010.43 98.49% 99% 24 92 0.99
β Xu and Stoller [14] did not terminate nor produced any output for the these datasets even after running formore than 24 hours.
from available information, e.g., user permission relationsand attributes) and construct candidates rules. They thengeneralize the candidate rules by replacing conjuncts inattribute expressions with constraints. The main limitationof these algorithms is that as they are based on heuristicapproaches, the proposed techniques work very well forsimple and small scale AC policies, however, as the numberof rules in the policy and the number of elements in eachrule increases, they do not perform well.
Following Xu and Strollerβs proposed method, Medvetet al. [16] propose a multi-objective evolutionary algorithmfor extracting ABAC policies. The proposed approach is aseparate and conquer algorithm, in each iteration of which, anew rule is learned and the set of access log tuples becomessmaller. Their algorithm employs several search-optimizingfeatures to improve the quality of the mined rules. Although
their approach is a multi-objective optimization frameworkwhich incorporates requirements on both correctness andexpressiveness, it suffers from the same issue as [15].
Iyer and Masoumzadeh [17] propose a more systematic,yet heuristic ABAC policy mining approach which is basedon the rule mining algorithm called PRISM. It inheritsshortcomings associated with PRISM that includes dealingwith a large dimensionality of the search space of attributevalues and generation of a huge number of rules.
Cotrini et al. propose an algorithm called Rhapsody formining ABAC rules from sparse logs [18]. Their proposedapproach is built upon subgroup discovery algorithms.They define a novel metric, reliability which measures howoverly permissive an extracted rule is. In addition, theypropose a universal cross-validation metric for evaluatingthe mined policy when the input log is sparse. However,
13
their algorithm is not capable of mining policies from logswith many attributes as the number of extracted rules growsexponentially in the number of attributes of the system.
7 DISCUSSION AND LIMITATIONS
As mentioned in section 5.3, our proposed approach isable to achieves a practical level of performance whenapplied to both synthesized and real datasets. In the caseof synthesized datasets, the proposed approach is capableof mining policies containing both positive and negativeattribute filters from complete datasets. On the other hand,our proposed approach shows potential for use in sparsedatasets. In addition, the real datasets contain a large num-ber of attributes and attribute values as shown in Table3. The ability of our proposed approach in mining high-quality policies for these datasets shows that the size ofattributes and attribute values have minimal impact on theeffectiveness of our approach.
The proposed approach is based on an unsupervisedclustering algorithm. Since finding the proper number ofclusters is a challenge related to clustering algorithms, ourapproach is affected by this issue as well. The same issuewill also be valid in finding the best thresholds to extracteffective attributes and relations.
We note that, as the proposed algorithm is based ontuning multiple parameters, it is possible that it gets stuckin minimum optima. For this reason, we do not claim thatit will extract the policy with the highest quality in everyscenario, nor we claim that extracting rules with negativeattribute filters and relations would always result in policywith higher quality (as we can see in Section 5.3); however,by trying more randomization in cluster initialization and awider range of parameters, we can get one that is closer toglobal optima.
In our evaluation, we used random selection to createnoisy and sparse datasets from complete datasets. Althoughwe ensured the same percentage of randomly selectedtuples from permitted and denied logs, guaranteeing thequality of the sampling is difficult.
8 CONCLUSION
In this paper, we have proposed an unsupervised learningbased approach to automating an ABAC policy extractionprocess. The proposed approach is capable of discoveringboth positive and negative attribute expressions as well aspositive and negative relation conditions while previousapproaches in access control policy extraction had onlyfocused on positive expressions. Furthermore, our work iscapable of improving the extracted policy through iterationsof proposed rule pruning and policy refinement algorithms.Such refinement algorithms are based on the false positiveand false negative records and they help in increasing thequality of the mined policy.
Most importantly, we have proposed the policy qualitymetric which considers both the conciseness and correctnessof the mined policy and is important for comparing theextracted policy with the original one and for improvingit as needed.
We have evaluated our policy extraction algorithm on ac-cess logs generated for various sample policies and demon-strated its feasibility. Furthermore, we have shown that ourapproach outperforms previous works in terms of policyquality.
As future work, we plan to extend our method tosupport numerical data and extract negative authorizationrules as well while studying the effects of various conflictresolution strategies on the quality of the mined policy.
REFERENCES
[1] R. S. Sandhu and P. Samarati, βAccess control: principle andpractice,β IEEE communications magazine, vol. 32, no. 9, pp. 40β48,1994.
[2] M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, βProtection inoperating systems,β Communications of the ACM, vol. 19, no. 8,pp. 461β471, 1976.
[3] D. E. Bell and L. J. LaPadula, βSecure computer systems: Math-ematical foundations,β tech. rep., MITRE CORP BEDFORD MA,1973.
[4] R. S. Sandhu, βLattice-based access control models,β Computer,vol. 26, no. 11, pp. 9β19, 1993.
[5] R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman, βRole-based access control models,β Computer, vol. 29, no. 2, pp. 38β47,1996.
[6] P. W. Fong and I. Siahaan, βRelationship-based access controlpolicies and their policy languages,β in Proceedings of the 16thACM symposium on Access control models and technologies, pp. 51β60,ACM, 2011.
[7] J. Jin, G.-J. Ahn, H. Hu, M. J. Covington, and X. Zhang, βPatient-centric authorization framework for sharing electronic healthrecords,β in Proceedings of the 14th ACM symposium on Access controlmodels and technologies, pp. 125β134, ACM, 2009.
[8] L. Karimi and J. Joshi, βMulti-owner multi-stakeholder accesscontrol model for a healthcare environment,β in Collaboration andInternet Computing (CIC), 2017 IEEE 3rd International Conference on,pp. 359β368, IEEE, 2017.
[9] V. C. Hu, D. Ferraiolo, R. Kuhn, A. R. Friedman, A. J. Lang,M. M. Cogdell, A. Schnitzer, K. Sandlin, R. Miller, K. Scarfone,et al., βGuide to attribute based access control (abac) definition andconsiderations (draft),β NIST special publication, vol. 800, no. 162,2013.
[10] M. Kuhlmann, D. Shohat, and G. Schimpf, βRole mining-revealingbusiness roles for security administration using data mining tech-nology,β in Proceedings of the eighth ACM symposium on Accesscontrol models and technologies, pp. 179β186, ACM, 2003.
[11] J. Schlegelmilch and U. Steffens, βRole mining with orca,β inProceedings of the tenth ACM symposium on Access control modelsand technologies, pp. 168β176, ACM, 2005.
[12] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, andJ. Lobo, βMining roles with semantic meanings,β in Proceedings ofthe 13th ACM symposium on Access control models and technologies,pp. 21β30, ACM, 2008.
[13] Z. Xu and S. D. Stoller, βAlgorithms for mining meaningful roles,βin Proceedings of the 17th ACM symposium on Access Control Modelsand Technologies, pp. 57β66, ACM, 2012.
[14] Z. Xu and S. D. Stoller, βMining attribute-based access control poli-cies from logs,β in IFIP Annual Conference on Data and ApplicationsSecurity and Privacy, pp. 276β291, Springer, 2014.
[15] Z. Xu and S. D. Stoller, βMining attribute-based access controlpolicies,β IEEE Transactions on Dependable and Secure Computing,vol. 12, no. 5, pp. 533β545, 2015.
[16] E. Medvet, A. Bartoli, B. Carminati, and E. Ferrari, βEvolutionaryinference of attribute-based access control policies.,β in EMO (1),pp. 351β365, 2015.
[17] P. Iyer and A. Masoumzadeh, βMining positive and negativeattribute-based access control policy rules,β in Proceedings of the23nd ACM on Symposium on Access Control Models and Technologies,pp. 161β172, ACM, 2018.
[18] C. Cotrini, T. Weghorn, and D. Basin, βMining abac rules fromsparse logs,β in 2018 IEEE European Symposium on Security andPrivacy (EuroS&P), pp. 31β46, IEEE, 2018.
14
[19] P. Marinescu, C. Parry, M. Pomarole, Y. Tian, P. Tague, and I. Papa-giannis, βIvd: Automatic learning and enforcement of authoriza-tion rules in online social networks,β in 2017 IEEE Symposium onSecurity and Privacy (SP), pp. 1094β1109, IEEE, 2017.
[20] D. B. Suits, βUse of dummy variables in regression equations,βJournal of the American Statistical Association, vol. 52, no. 280,pp. 548β551, 1957.
[21] C. M. Bishop, Pattern recognition and machine learning. springer,2006.
[22] Wikipedia contributors, βAccuracy paradox-wikipedia, the freeencyclopedia,β 2018. [Online; accessed 30-September-2019].
[23] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, andJ. Lobo, βMining roles with multiple objectives,β ACM Transactionson Information and System Security (TISSEC), vol. 13, no. 4, p. 36,2010.
[24] M. Beckerle and L. A. Martucci, βFormal definitions for usableaccess control rule sets from goals to metrics,β in Proceedings of theNinth Symposium on Usable Privacy and Security, p. 2, ACM, 2013.
[25] C. J. v. Rijsbergen, Information retrieval. 2.ed. Butterworths, 1979.[26] F. Cao, J. Liang, and L. Bai, βA new initialization method for cat-
egorical data clustering,β Expert Systems with Applications, vol. 36,no. 7, pp. 10223β10228, 2009.
[27] L. Karimi and J. Joshi, βAn unsupervised learning based approachfor mining attribute basedaccess control policies,β in Big Data (BigData), 2018 IEEE International Conference on, IEEE, 2018.
[28] R. L. Thorndike, βWho belongs in the family?,β Psychometrika,vol. 18, no. 4, pp. 267β276, 1953.
[29] C. Goutte, P. Toft, E. Rostrup, F. Γ . Nielsen, and L. K. Hansen, βOnclustering fmri time series,β NeuroImage, vol. 9, no. 3, pp. 298β310,1999.
[30] P. Jaccard, βThe distribution of the flora in the alpine zone. 1,β Newphytologist, vol. 11, no. 2, pp. 37β50, 1912.
[31] Amazon.com, βAmazon employee access challenge.β Kaggle.[32] Montanez, Ken, βAmazon access samples.β UCI Machine Learn-
ing Repository: Amazon Access Samples Data Set.[33] Devos, Nico and Hes, Robin, βKmodes implementation.β[34] J. Vaidya, V. Atluri, and Q. Guo, βThe role mining problem: finding
a minimal descriptive set of roles,β in Proceedings of the 12th ACMsymposium on Access control models and technologies, pp. 175β184,ACM, 2007.
[35] J. Vaidya, V. Atluri, and J. Warner, βRoleminer: mining roles usingsubset enumeration,β in Proceedings of the 13th ACM conference onComputer and communications security, pp. 144β153, ACM, 2006.
[36] D. Zhang, K. Ramamohanarao, and T. Ebringer, βRole engineeringusing graph optimisation,β in Proceedings of the 12th ACM sympo-sium on Access control models and technologies, pp. 139β144, ACM,2007.
[37] Q. Guo, J. Vaidya, and V. Atluri, βThe role hierarchy mining prob-lem: Discovery of optimal role hierarchies,β in Computer SecurityApplications Conference, 2008. ACSAC 2008. Annual, pp. 237β246,IEEE, 2008.
[38] H. Takabi and J. B. Joshi, βStateminer: an efficient similarity-basedapproach for optimal mining of role hierarchy,β in Proceedings ofthe 15th ACM symposium on Access control models and technologies,pp. 55β64, ACM, 2010.
[39] Q. Ni, J. Lobo, S. Calo, P. Rohatgi, and E. Bertino, βAutomatingrole-based provisioning by learning from examples,β in Proceed-ings of the 14th ACM symposium on Access control models andtechnologies, pp. 75β84, ACM, 2009.
[40] J. Vaidya, V. Atluri, and Q. Guo, βThe role mining problem: Aformal perspective,β ACM Transactions on Information and SystemSecurity (TISSEC), vol. 13, no. 3, p. 27, 2010.
[41] Z. Xu and S. D. Stoller, βMining attribute-based access controlpolicies from rbac policies,β in Emerging Technologies for a SmarterWorld (CEWIT), 2013 10th International Conference and Expo on,pp. 1β6, IEEE, 2013.
Leila Karimi received an undergraduate degreeand the MS degree in information technology en-gineering from the Sharif University of Technol-ogy, Tehran, Iran. She is a Ph.D. candidate at theSchool of Computing and Information (SCI), atthe University of Pittsburgh. Her research inter-ests lie at the intersection of information security,data privacy, and machine learning. Currently,she is working on applying machine learningtechniques to solve challenging problems in thesecurity domain.
Maryam Aldairi received an undergraduate degree management infor-mation systems From King Faisal University, Alhasa, KSA., and the MSdegree in information science from the University of Pittsburgh. She isa Ph.D. student at the School of Computing and Information (SCI), atthe University of Pittsburgh. Her research interests lie at the intersec-tion of information security, adversarial learning, and machine learning.Currently, her focus is on applying machine learning techniques to solvechallenging problems in the security domain.
James Joshi received the MS degree in com-puter science and the Ph.D. degree in computerengineering from Purdue University. He is a pro-fessor of School of Computing and Information(SCI), at the University of Pittsburgh. His re-search interests include Access Control Mod-els, Security and Privacy of Distributed Systems,Trust Management and Information Survivability.He is the director of LERSAIS at the University ofPittsburgh. He is an elected fellow of the Societyof Information Reuse and Integration (SIRI) and
is a senior member of the IEEE and the ACM. He currently serves asa Program Director of the Secure and Trustworthy Cyberspace programat the National Science Foundation.
Mai Abdelhakim is an assistant professor in thedepartment of electrical and computer engineer-ing at the University of Pittsburghβs Swansonschool of engineering. She received her Ph.D.degree in Electrical Engineering from MichiganState University, and Bachelorβs and Masterβsdegrees in Electronics and Communications En-gineering from Cairo University. Her researchinterests include cyber-physical systems, cyber-security, machine learning, stochastic systemsmodeling, and information theory.