ABSTRACT
We consider a fundamentally new approach to role and policy mining: finding RBAC models which reflect the observed usage of entitlements and the attributes of users. Such policies are interpretable, i.e., there is a natural explanation of why a role is assigned to a user and are conservative from a security standpoint since they are based on actual usage. Further, such "generative" models provide many other benefits including reconciliation with policies based on entitlements, detection of provisioning errors, as well as the detection of anomalous behavior. Our contributions include defining the fundamental problem as extensions of the well-known role mining problem, as well as providing several new algorithms based on generative machine learning models. Our algorithms find models which are causally associated with actual usage of entitlements and any arbitrary combination of user attributes when such information is available. This is the most natural process to provision roles, thus addressing a key usability issue with existing role mining algorithms.
We have evaluated our approach on a large number of real life data sets, and our algorithms produce good role decompositions as measured by metrics such as coverage, stability, and generality We compare our algorithms with traditional role mining algorithms by equating usage with entitlement. Results show that our algorithms improve on existing approaches including exact mining, approximate mining, and probabilistic algorithms; the results are more temporally stable than exact mining approaches, and are faster than probabilistic algorithms while removing artificial constraints such as the number of roles assigned to each user. Most importantly, we believe that these roles more accurately capture what users actually do, the essence of a role, which is not captured by traditional methods.
- ANSI. Role-based access control. Technical Report ANSI INCITS 359--2004, 2004.Google Scholar
- D. Blei, A. Ng, and M. Jordan. Latent dirichlet allocation. J. Mach. Learning Research, 3, 2003. Google ScholarDigital Library
- E. J. Coyne. Role engineering. In ACM Workshop on Role Based Access Control, 1995. Google ScholarDigital Library
- A. Ene, W. Horne, N. Milosavljevic, P. Rao, R. Schreiber, and R. E. Tarjan. Fast exact and heuristic methods for role minimization problems. In SACMAT, 2008. Google ScholarDigital Library
- M. Frank, D. A. Basin, and J. M. Buhmann. A class of probabilistic models for role engineering. In CCS, 2008. Google ScholarDigital Library
- M. Frank, J. M. Buhmann, and D. Basin. On the definition of role mining. In SACMAT, 2010. Google ScholarDigital Library
- M. Frank, A. Streich, D. Basin, and J. Buhmann. A probabilistic approach to hybrid role mining. In CCS, 2009. Google ScholarDigital Library
- C. Kemp, J. B. Tenenbaum, T. L. Griffiths, T. Yamada, and N. Ueda. Learning systems of concepts with an infinite relational model. In AAAI, 2006. Google ScholarDigital Library
- M. Kuhlmann, D. Shohat, and G. Schimpf. Role mining - revealing business roles for security administration using data mining technology. In SACMAT, 2003. Google ScholarDigital Library
- H. Lu, J. Vaidya, and V. Atluri. Optimal boolean matrix decomposition: Application to role engineering. In ICDE, 2008. Google ScholarDigital Library
- I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with multiple objectives. TISSEC, 13(4):36, Dec 2010. Google ScholarDigital Library
- I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. B. Calo, and J. Lobo. Mining roles with semantic meanings. In SACMAT, 2008. Google ScholarDigital Library
- I. Molloy, N. Li, J. Lobo, Y. A. Qi, and L. Dickens. Mining roles with noisy data. In SACMAT, 2010. Google ScholarDigital Library
- K. Rose. Deterministic annealing for clustering, compression, classification, regression, and related optimization problems. Proc. of the IEEE, (86), 1998.Google ScholarCross Ref
- M. Rosen-Zvi, C. Chemudugunta, T. Griffiths, P. Smyth, and M. Steyvers. Learning author-topic models from text corpora. TOIS, 28(1), 2010. Google ScholarDigital Library
- M. Rosen-Zvi, T. Griffiths, M. Steyvers, and P. Smyth. The author-topic model for autors and documents. In UAI, 2004. Google ScholarDigital Library
- A. P. Singh and G. J. Gordon. Relational learning via collective matrix factorization. In KDD, 2008. Google ScholarDigital Library
- A. P. Streich, M. Frank, D. Basin, and J. M. Buhmann. Multi-assignment clustering for boolean data. In ICML, 2009. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and Q. Guo. The role mining problem: finding a minimal descriptive set of roles. In SACMAT, 2007. Google ScholarDigital Library
- J. Vaidya, V. Atluri, and J. Warner. Roleminer: mining roles using subset enumeration. In CCS, 2006. Google ScholarDigital Library
- D. Zhang, K. Ramamohanarao, and T. Ebringer. Role engineering using graph optimisation. In SACMAT, 2007. Google ScholarDigital Library
Recommendations
Mining least privilege attribute based access control policies
ACSAC '19: Proceedings of the 35th Annual Computer Security Applications ConferenceCreating effective access control policies is a significant challenge to many organizations. Over-privilege increases security risk from compromised credentials, insider threats, and accidental misuse. Under-privilege prevents users from performing ...
A Survey of Role Mining
Role-Based Access Control (RBAC) is the most widely used model for advanced access control deployed in diverse enterprises of all sizes. RBAC critically depends on defining roles, which are a functional intermediate between users and permissions. Thus, ...
Mining Positive and Negative Attribute-Based Access Control Policy Rules
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and TechnologiesMining access control policies can reduce the burden of adopting more modern access control models by automating the process of generating policies based on existing authorization information in a system. Previous work in this area has focused on mining ...
Comments