Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

Thang Bui; Scott D. Stoller; Jiajie Li

doi:10.1007/978-3-030-18419-3_18

Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

Thang Bui
, Scott D. Stoller
, Jiajie Li

Computer Science

Stony Brook University

Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

Original language	English
Title of host publication	Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers
Editors	Guillaume Bonfante, Nur Zincir-Heywood, Mourad Debbabi, Joaquin Garcia-Alfaro
Publisher	Springer Verlag
Pages	267-284
Number of pages	18
ISBN (Print)	9783030184186
DOIs	https://doi.org/10.1007/978-3-030-18419-3_18
State	Published - 2019
Event	11th International Symposium on Foundations and Practice of Security, FPS 2018 - Montreal, Canada Duration: Nov 13 2018 → Nov 15 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11358 LNCS

Conference

Conference	11th International Symposium on Foundations and Practice of Security, FPS 2018
Country/Territory	Canada
City	Montreal
Period	11/13/18 → 11/15/18

Access to Document

10.1007/978-3-030-18419-3_18

Cite this

Bui, T., Stoller, S. D., & Li, J. (2019). Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. In G. Bonfante, N. Zincir-Heywood, M. Debbabi, & J. Garcia-Alfaro (Eds.), Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers (pp. 267-284). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11358 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-18419-3_18

Bui, Thang ; Stoller, Scott D. ; Li, Jiajie. / Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers. editor / Guillaume Bonfante ; Nur Zincir-Heywood ; Mourad Debbabi ; Joaquin Garcia-Alfaro. Springer Verlag, 2019. pp. 267-284 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{0ec7a2aee532452499e58aac1ea05c4a,

title = "Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data",

abstract = "Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.",

author = "Thang Bui and Stoller, \{Scott D.\} and Jiajie Li",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; 11th International Symposium on Foundations and Practice of Security, FPS 2018 ; Conference date: 13-11-2018 Through 15-11-2018",

year = "2019",

doi = "10.1007/978-3-030-18419-3\_18",

language = "English",

isbn = "9783030184186",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "267--284",

editor = "Guillaume Bonfante and Nur Zincir-Heywood and Mourad Debbabi and Joaquin Garcia-Alfaro",

booktitle = "Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers",

}

Bui, T, Stoller, SD & Li, J 2019, Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. in G Bonfante, N Zincir-Heywood, M Debbabi & J Garcia-Alfaro (eds), Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11358 LNCS, Springer Verlag, pp. 267-284, 11th International Symposium on Foundations and Practice of Security, FPS 2018, Montreal, Canada, 11/13/18. https://doi.org/10.1007/978-3-030-18419-3_18

Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. / Bui, Thang; Stoller, Scott D.; Li, Jiajie.
Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers. ed. / Guillaume Bonfante; Nur Zincir-Heywood; Mourad Debbabi; Joaquin Garcia-Alfaro. Springer Verlag, 2019. p. 267-284 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11358 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

AU - Bui, Thang

AU - Stoller, Scott D.

AU - Li, Jiajie

PY - 2019

Y1 - 2019

N2 - Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

AB - Relationship-based access control (ReBAC) extends attribute-based access control (ABAC) to allow policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents algorithms for mining ReBAC policies from information about entitlements together with information about entities. It presents the first such algorithms designed to handle incomplete information about entitlements, typically obtained from operation logs, and noise (errors) in information about entitlements. We present two algorithms: a greedy search guided by heuristics, and an evolutionary algorithm. We demonstrate the effectiveness of the algorithms on several policies, including 3 large case studies.

UR - https://www.scopus.com/pages/publications/85066040340

U2 - 10.1007/978-3-030-18419-3_18

DO - 10.1007/978-3-030-18419-3_18

M3 - Conference contribution

SN - 9783030184186

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 267

EP - 284

BT - Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers

A2 - Bonfante, Guillaume

A2 - Zincir-Heywood, Nur

A2 - Debbabi, Mourad

A2 - Garcia-Alfaro, Joaquin

PB - Springer Verlag

T2 - 11th International Symposium on Foundations and Practice of Security, FPS 2018

Y2 - 13 November 2018 through 15 November 2018

ER -

Bui T, Stoller SD, Li J. Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data. In Bonfante G, Zincir-Heywood N, Debbabi M, Garcia-Alfaro J, editors, Foundations and Practice of Security - 11th International Symposium, FPS 2018, Revised Selected Papers. Springer Verlag. 2019. p. 267-284. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-18419-3_18

Mining Relationship-Based Access Control Policies from Incomplete and Noisy Data

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this