Automated Generation and Update of Structured ABAC Policies
Authors: 
Anna Bamberger and Maribel FernándezAuthors Info & Claims
Anna Bamberger and Maribel FernándezAuthors Info & ClaimsJune 2024
Pages 31 - 40
Abstract
We present a new access control policy generation algorithm that also offers a solution to the policy update problem. The algorithm generates structured attribute-based access control policies, more precisely, it generates a categorisation of principals and resources based on attribute values, together with rules that specify permissions for categories of principals on categories of resources. To facilitate the identification of user profiles associated with granted and denied requests, the algorithm generates both positive and negative categories (defining authorisations and prohibitions, respectively). The input for the algorithm is a set of access request logs together with attributes of entities in the system, and optionally an existing policy. If only logs are provided as input, the algorithm generates a policy that is consistent with the input logs (i.e., the mined policy includes the authorisations and prohibitions that occur in the logs). If instead the algorithm is used to update an existing policy, then it is sufficient to provide as input the policy and examples of authorisations and prohibitions that the updated version of the policy should include. To illustrate the algorithm, we describe its application to a public ICU health metric data set.
References
[1]
JG. Alfaro, F. Cuppens, and N. Cuppens-Boulahia. 2007. Management of exceptions on access control policies. In IFIP International Information Security Conference. Springer, 97--108.
[2]
S. Alves and M. Ferná ndez. 2017. A graph-based framework for the analysis of access control policies. Theor. Comput. Sci., Vol. 685 (2017), 3--22. https://doi.org/10.1016/j.tcs.2016.10.018
[3]
A. Bamberger and M. Ferná ndez. 2023. From Static to Dynamic Access Control Policies via Attribute-Based Category Mining. In Logic-Based Program Synthesis and Transformation - 33rd Int. Symposium, LOPSTR 2023, Cascais, Portugal, October 23--24, 2023, Proceedings (LNCS, Vol. 14330). Springer, 188--197. https://doi.org/10.1007/978--3-031--45784--5_12
[4]
E. Barka and R. Sandhu. 2000. Framework for role-based delegation models. In Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00). IEEE, 168--176.
[5]
S. Barker. 2009. The next 700 access control models or a unifying meta-model?. In SACMAT 2009, 14th ACM Symposium on Access Control Models and Technologies, Stresa, Italy, June 3--5, 2009, Proceedings. ACM Press, New York, 187--196.
[6]
C. Bertolissi and M. Fernández. 2008. A rewriting framework for the composition of access control policies. In Proceedings of the 10th international ACM SIGPLAN conference on Principles and practice of declarative programming. ACM Press, 217--225.
[7]
C. Bertolissi and M. Fernández. 2010. Category-based authorisation models: operational semantics and expressive power. In Proc. of Int. Symposium on Engineering Secure Software and Systems, ESSOS 2010, Pisa (Lecture Notes in Computer Science, 5965). Springer, Berlin, Heidelberg, 140--156.
[8]
C. Bertolissi and M. Ferná ndez. 2014. A metamodel of access control for distributed environments: Applications and properties. Inf. Comput., Vol. 238 (2014), 187--207. https://doi.org/10.1016/j.ic.2014.07.009
[9]
Piero Bonatti, Sabrina De Capitani di Vimercati, and Pierangela Samarati. 2002. An algebra for composing access control policies. ACM Transactions on Information and System Security (TISSEC), Vol. 5, 1 (2002), 1--35.
[10]
Suroop Mohan Chandran and James BD Joshi. 2005. LoT-RBAC: A location and time-based RBAC model. In International Conference on Web Information Systems Engineering. Springer, 361--375.
[11]
Hsing-Chung Chen, Shiuh-Jeng Wang, Jyh-Horng Wen, and Chung-Wei Chen. 2009. Temporal and location-based RBAC model. In 2009 Fifth International Joint Conference on INC, IMS and IDC. IEEE, 2111--2116.
[12]
Matthew Collinson and David Pym. 2010. Algebra and logic for access control. Formal Aspects of Computing, Vol. 22 (2010), 83--104.
[13]
Carlos Cotrini, Luca Corinzia, Thilo Weghorn, and David Basin. 2019. The next 700 policy miners: A universal method for building policy miners. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. ACM Press, 95--112.
[14]
Maria Luisa Damiani, Elisa Bertino, Barbara Catania, and Paolo Perlasca. 2007. GEO-RBAC: a spatially aware RBAC. ACM Transactions on Information and System Security (TISSEC), Vol. 10, 1 (2007), 2--es.
[15]
Z Derakhshandeh, BT Ladani, and N Nematbakhsh. 2008. Modeling and combining access control policies using constrained policy graph (CPG). Journal of Applied Sciences, Vol. 8, 20 (2008), 3561--3571.
[16]
Maribel Fernández, Ian Mackie, and Bhavani Thuraisingham. 2019. Specification and Analysis of ABAC Policies via the Category-based Metamodel. In Proceedings of the Ninth ACM conference on data and application security and privacy. ACM Press, 173--184.
[17]
David Ferraiolo, Rick Kuhn, and Ravi Sandhu. 2007. RBAC Standard Rationale: Comments on "A Critique of the ANSI Standard on Role-Based Access Control". IEEE Security Privacy, Vol. 5, 6 (2007), 51--53. https://doi.org/10.1109/MSP.2007.173
[18]
David F. Ferraiolo and Vijay Atluri. 2008. A meta model for access control: why is it needed and is it even possible to achieve?. In SACMAT'08. ACM Press, 153--154.
[19]
Jiawei Han, Jian Pei, Yiwen Yin, and Runying Mao. 2004. Mining frequent patterns without candidate generation: A frequent-pattern tree approach. Data mining and knowledge discovery, Vol. 8, 1 (2004), 53--87.
[20]
Vincent C Hu, David Ferraiolo, Rick Kuhn, Arthur R Friedman, Alan J Lang, Margaret M Cogdell, Adam Schnitzer, Kenneth Sandlin, Robert Miller, Karen Scarfone, et al. 2013. Guide to attribute based access control (abac) definition and considerations (draft). NIST special publication, Vol. 800, 162 (2013), 1--54.
[21]
Vincent C Hu, David F Ferraiolo, and Karen Scarfone. 2007. Access control policy combinations for the grid using the policy machine. In Seventh IEEE International Symposium on Cluster Computing and the Grid (CCGrid'07). IEEE, 225--232.
[22]
Padmavathi Iyer and Amirreza Masoumzadeh. 2018. Mining positive and negative attribute-based access control policy rules. In Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. ACM Press, 161--172.
[23]
Amani Abu Jabal, Elisa Bertino, Jorge Lobo, Mark Law, Alessandra Russo, Seraphin B. Calo, and Dinesh C. Verma. 2020. Polisma - A Framework for Learning Attribute-Based Access Control Policies. In Computer Security - ESORICS 2020 - 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14--18, 2020, Proceedings, Part I (Lecture Notes in Computer Science, Vol. 12308), Liqun Chen, Ninghui Li, Kaitai Liang, and Steve A. Schneider (Eds.). Springer, 523--544. https://doi.org/10.1007/978--3-030--58951--6_26
[24]
Xin Jin, Ram Krishnan, and Ravi Sandhu. 2012. A unified attribute-based access control model covering DAC, MAC and RBAC. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 41--55.
[25]
Vahid R Karimi, Paulo SC Alencar, and Donald D Cowan. 2017. A formal modeling and analysis approach for access control rules, policies, and their combinations. International Journal of Information Security, Vol. 16, 1 (2017), 43--74.
[26]
Heiko Klarl, Florian Marmé, Christian Wolff, Christian Emig, and Sebastian Abeck. 2009. An MDA-based environment for generating access control policies. In International Conference on Trust, Privacy and Security in Digital Business. Springer, 115--126.
[27]
D. Richard Kuhn, Edward J. Coyne, and Timothy R. Weil. 2010. Adding Attributes to Role-Based Access Control. IEEE Computer, Vol. 43, 6 (2010), 79--81. https://doi.org/10.1109/MC.2010.155
[28]
Quoc Le and Tomas Mikolov. 2014. Distributed representations of sentences and documents. In International Conference on Machine Learning. PMLR, 1188--1196.
[29]
Ninghui Li, Qihua Wang, Wahbeh Qardaji, Elisa Bertino, Prathima Rao, Jorge Lobo, and Dan Lin. 2009. Access control policy combining: theory meets practice. In Proceedings of the 14th ACM symposium on Access control models and technologies. ACM Press, 135--144.
[30]
Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).
[31]
Ian Molloy, Hong Chen, Tiancheng Li, Qihua Wang, Ninghui Li, Elisa Bertino, Seraphin Calo, and Jorge Lobo. 2010. Mining roles with multiple objectives. ACM Transactions on Information and System Security (TISSEC), Vol. 13, 4 (2010), 1--35.
[32]
Simon Parkinson and Saad Khan. 2022. A survey on empirical security analysis of access-control systems: a real-world perspective. Comput. Surveys, Vol. 55, 6 (2022), 1--28.
[33]
Evgenia Psarra, Dimitris Apostolou, Yiannis Verginadis, Ioannis Patiniotakis, and Gregoris Mentzas. 2022. Context-Based, Predictive Access Control to Electronic Health Records. Electronics, Vol. 11, 19 (2022), 3040.
[34]
Khair Eddin Sabri and Hazem Hiary. 2016. Algebraic model for handling access control policies. Procedia Computer Science, Vol. 83 (2016), 653--657.
[35]
RS Sandhu, EJ Coyne, HL Feinstein, and CE Youman. 1996. Role-Based Access Control Models./EE Computer, 29 (2): 38--47. February.
[36]
Ravi S Sandhu and Pierangela Samarati. 1994. Access control: principle and practice. IEEE communications magazine, Vol. 32, 9 (1994), 40--48.
[37]
Jürgen Schlegelmilch and Ulrike Steffens. 2005. Role mining with ORCA. In Proceedings of the tenth ACM symposium on Access control models and technologies. 168--176.
[38]
Mai Shawkat, Mahmoud Badawi, Sally El-ghamrawy, Reham Arnous, and Ali El-desoky. 2022. An optimized FP-growth algorithm for discovery of association rules. The Journal of Supercomputing (2022), 1--28.
[39]
I. Silva, G. Moody, R. Mark, and L.A. Celi. [n.,d.]. Predicting Mortality of ICU Patients: The PHYSIONET/Computing in Cardiology Challenge 2012. Predicting Mortality of ICU Patients: The PhysioNet/Computing in Cardiology Challenge 2012 v1.0.0. https://physionet.org/content/challenge-2012/1.0.0/.
[40]
Mahendra Pratap Singh, Shamik Sural, Jaideep Vaidya, and Vijayalakshmi Atluri. 2019. Managing attribute-based access control policies in a unified framework using data warehousing and in-memory database. Computers & security, Vol. 86 (2019), 183--205.
[41]
Xiaofei Sun, Yuxian Meng, Xiang Ao, Fei Wu, Tianwei Zhang, Jiwei Li, and Chun Fan. 2022. Sentence similarity based on contexts. Transactions of the Association for Computational Linguistics, Vol. 10 (2022), 573--588.
[42]
Jaideep Vaidya, Vijayalakshmi Atluri, and Qi Guo. 2007. The role mining problem: finding a minimal descriptive set of roles. In ACM Symposium on Access Control Models and Technologies. ACM Press. https://api.semanticscholar.org/CorpusID:3346983
[43]
Lingyu Wang, Duminda Wijesekera, and Sushil Jajodia. 2004. A logic-based framework for attribute based access control. In Proceedings of the 2004 ACM workshop on Formal methods in security engineering. ACM Press, 45--55.
[44]
Zhongyuan Xu and Scott D. Stoller. 2014a. Mining Attribute-based Access Control Policies From Logs. Computing Research Repository (CoRR), Vol. abs/1403.5715 (March 2014). http://arxiv.org/abs/1403.5715.
[45]
Zhongyuan Xu and Scott D Stoller. 2014b. Mining attribute-based access control policies from logs. In Data and Applications Security and Privacy XXVIII: 28th Annual IFIP WG 11.3 Working Conference, DBSec 2014, Vienna, Austria, July 14--16, 2014. Proceedings 28. Springer, 276--291.
[46]
Eric Yuan and Jin Tong. 2005. Attributed based access control (ABAC) for web services. In IEEE International Conference on Web Services (ICWS'05). IEEE.
[47]
Yan Zhu, Dijiang Huang, Chang-Jyun Hu, and Xin Wang. 2014. From RBAC to ABAC: constructing flexible data access control for cloud storage services. IEEE Transactions on Services Computing, Vol. 8, 4 (2014), 601--616.
Index Terms
- Automated Generation and Update of Structured ABAC Policies
Recommendations
Specification and Analysis of ABAC Policies via the Category-based Metamodel
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and PrivacyThe Attribute-Based Access Control (ABAC) model is one of the most powerful access control models in use. It subsumes popular models, such as the Role-Based Access Control (RBAC) model, and can also enforce dynamic policies where authorisations depend ...
Graph-Based Specification of Admin-CBAC Policies
CODASPY '21: Proceedings of the Eleventh ACM Conference on Data and Application Security and PrivacyWe present a graph-based language for the specification of administrative access control policies in Admin-CBAC, an administrative model for Category-Based Access Control. More precisely, we propose a multi-level graph representation of policies and a ...
Admin-CBAC: An Administration Model for Category-Based Access Control
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyWe present Admin-CBAC, an administrative model for Category- Based Access Control (CBAC). Since most of the access control models in use nowadays are instances of CBAC, in particular the popular RBAC and ABAC models, from Admin-CBAC we derive ...
Comments
Information & Contributors
Information
Published In
June 2024
97 pages
ISBN:9798400705557
DOI:10.1145/3643650
- Program Chairs:
- Maanak Gupta,
- Mahmoud Abdelsalam,
- Mir Pritom,
- Feras Awaysheh
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution-NoDerivatives International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 19 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CODASPY '24
Sponsor:
CODASPY '24: Fourteenth ACM Conference on Data and Application Security and Privacy
June 21, 2024
Porto, Portugal
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 16Total Downloads
- Downloads (Last 12 months)16
- Downloads (Last 6 weeks)16
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in