Nicholas L. Farnan, Adam J. Lee, Panos K. Chrysanthis, Ting Yu
Although the declarative nature of SQL provides great utility to database users, its use in distributed database management systems can result in unintended consequences to user privacy over the course of query evaluation. By allowing users to merely say what data they are interested in accessing without providing guidance regarding how to retrieve it, query optimizers can generate plans that leak sensitive query intension. To address these types of issues, we have created a framework that empowers users with the ability to specify access controls on the intension of their queries through extensions to the SQL SELECT statement. In this demonstration, we present a version of PostgreSQL's query optimizer that we have modified to produce plans that respect these constraints while optimizing user-specified SQL queries in terms of performance.
{"title":"Enabling intensional access control via preference-aware query optimization","authors":"Nicholas L. Farnan, Adam J. Lee, Panos K. Chrysanthis, Ting Yu","doi":"10.1145/2462410.2462428","DOIUrl":"https://doi.org/10.1145/2462410.2462428","url":null,"abstract":"Although the declarative nature of SQL provides great utility to database users, its use in distributed database management systems can result in unintended consequences to user privacy over the course of query evaluation. By allowing users to merely say what data they are interested in accessing without providing guidance regarding how to retrieve it, query optimizers can generate plans that leak sensitive query intension. To address these types of issues, we have created a framework that empowers users with the ability to specify access controls on the intension of their queries through extensions to the SQL SELECT statement. In this demonstration, we present a version of PostgreSQL's query optimizer that we have modified to produce plans that respect these constraints while optimizing user-specified SQL queries in terms of performance.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"38 1","pages":"189-192"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87965328","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Suresh Chari, Ian Molloy, Youngja Park, Wilfried Teiken
Organizations rarely define formal security properties or policies for their access control systems, often choosing to react to changing needs. This paper addresses the problem of reconciling entitlement usage with configured policies for multiple objectives: policy optimization and risk mitigation. Policies should remain up-to-date, maintaining least privilege, and using unambiguous constructs that reduce administrative stress.� We describe a number of algorithms and heuristics, validated on real-world data, to address various aspects of reconciling access control policies with security audit logs. The first set of algorithms track and correlate which policy items enable which actions, using which we can identify over privileged entitlements, redundant policy items that may not be correctly revoked by administrators, rarely used entitlements, and overly permissive entitlements. They can help reduce administrative errors and general operational risk. The second body of work compares user groups defined in the policy with roles generated from the actual usage patterns, from which we derive quality and security measures for policy groups. Finally, we track policy changes through assignments and revocations and test precursors for such changes (e.g., a failed request before an assignment). Broadly speaking, this body of work presents different facets of continuous compliance to see if the enforced security policy and the resulting usage is consistent with a common intended security goal.
{"title":"Ensuring continuous compliance through reconciling policy with usage","authors":"Suresh Chari, Ian Molloy, Youngja Park, Wilfried Teiken","doi":"10.1145/2462410.2462417","DOIUrl":"https://doi.org/10.1145/2462410.2462417","url":null,"abstract":"Organizations rarely define formal security properties or policies for their access control systems, often choosing to react to changing needs. This paper addresses the problem of reconciling entitlement usage with configured policies for multiple objectives: policy optimization and risk mitigation. Policies should remain up-to-date, maintaining least privilege, and using unambiguous constructs that reduce administrative stress.\u0000 We describe a number of algorithms and heuristics, validated on real-world data, to address various aspects of reconciling access control policies with security audit logs. The first set of algorithms track and correlate which policy items enable which actions, using which we can identify over privileged entitlements, redundant policy items that may not be correctly revoked by administrators, rarely used entitlements, and overly permissive entitlements. They can help reduce administrative errors and general operational risk. The second body of work compares user groups defined in the policy with roles generated from the actual usage patterns, from which we derive quality and security measures for policy groups. Finally, we track policy changes through assignments and revocations and test precursors for such changes (e.g., a failed request before an assignment). Broadly speaking, this body of work presents different facets of continuous compliance to see if the enforced security policy and the resulting usage is consistent with a common intended security goal.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"74 1","pages":"49-60"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77343811","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Model-based security engineering uses formal security models for specifying and analyzing access control systems. Tool-based model analysis encounters a fundamental difficulty here: on the one hand, real-world access control systems generally are quite large and complex and require models that have high expressive power. On the other hand, analysis of such models is often pestered by computational complexity or even non-decidability, making it difficult to devise algorithms for automated analysis tools. One approach to this problem is to limiting the expressive power of the modeling calculus, resulting in restrictions to the spectrum of application scenarios that can be modeled. In this paper we propose a different approach: a heuristic-based method for analyzing the safety properties of access control models with full expressive power. Aiming at generality, the paper focuses on the lineage of HRU-style, automaton-based access control models that are fundamental for modeling the dynamic behavior of contemporary role-based or attribute-based access control systems.� The paper motivates a heuristics-based approach to model analysis, describes in detail a heuristic model safety analysis algorithm, and discusses its computational complexity. The algorithm is the core of a security model analysis tool within the context of a security policy engineering workbench; a formal description of major components of its heuristic-based symbolic model execution engine is given, and its capacity to analyze complex real-world access control systems is evaluated.
{"title":"Heuristic safety analysis of access control models","authors":"Peter Amthor, Winfried E. Kühnhauser, Anja Pölck","doi":"10.1145/2462410.2462413","DOIUrl":"https://doi.org/10.1145/2462410.2462413","url":null,"abstract":"Model-based security engineering uses formal security models for specifying and analyzing access control systems. Tool-based model analysis encounters a fundamental difficulty here: on the one hand, real-world access control systems generally are quite large and complex and require models that have high expressive power. On the other hand, analysis of such models is often pestered by computational complexity or even non-decidability, making it difficult to devise algorithms for automated analysis tools. One approach to this problem is to limiting the expressive power of the modeling calculus, resulting in restrictions to the spectrum of application scenarios that can be modeled. In this paper we propose a different approach: a heuristic-based method for analyzing the safety properties of access control models with full expressive power. Aiming at generality, the paper focuses on the lineage of HRU-style, automaton-based access control models that are fundamental for modeling the dynamic behavior of contemporary role-based or attribute-based access control systems.\u0000 The paper motivates a heuristics-based approach to model analysis, describes in detail a heuristic model safety analysis algorithm, and discusses its computational complexity. The algorithm is the core of a security model analysis tool within the context of a security policy engineering workbench; a formal description of major components of its heuristic-based symbolic model execution engine is given, and its capacity to analyze complex real-world access control systems is evaluated.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"44 1","pages":"137-148"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77210607","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Version control systems are widely used in software development and document management. Unfortunately, versioning confidential files is not normally supported: Existing solutions encrypt the transport channel, but store data in plaintext within a repository. We come up with an access control solution that allows secure versioning of confidential files even in the presence of a malicious server administrator. Using convergent encryption as a building block, we enable space-efficient storage of version histories despite secure encryption. We describe an implementation of our concept for the Subversion (SVN) system, and evaluate storage efficiency and runtime of this implementation. Our implementation is compatible with existing SVN versions without requiring changes to the storage backend.
{"title":"A storage-efficient cryptography-based access control solution for subversion","authors":"Dominik Leibenger, Christoph Sorge","doi":"10.1145/2462410.2462420","DOIUrl":"https://doi.org/10.1145/2462410.2462420","url":null,"abstract":"Version control systems are widely used in software development and document management. Unfortunately, versioning confidential files is not normally supported: Existing solutions encrypt the transport channel, but store data in plaintext within a repository. We come up with an access control solution that allows secure versioning of confidential files even in the presence of a malicious server administrator. Using convergent encryption as a building block, we enable space-efficient storage of version histories despite secure encryption. We describe an implementation of our concept for the Subversion (SVN) system, and evaluate storage efficiency and runtime of this implementation. Our implementation is compatible with existing SVN versions without requiring changes to the storage backend.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"3 1","pages":"201-212"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76089099","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present an extension of the TRBAC model that allows the specification and enforcement of general reactive policies. Then we extend XACML to support the new model, and illustrate a prototype implementation of the PDP.
{"title":"ERBAC: event-driven RBAC","authors":"P. Bonatti, Clemente Galdi, Davide Torres","doi":"10.1145/2462410.2462415","DOIUrl":"https://doi.org/10.1145/2462410.2462415","url":null,"abstract":"Context-aware access control systems should reactively adapt access control decisions to dynamic environmental conditions. In this paper we present an extension of the TRBAC model that allows the specification and enforcement of general reactive policies. Then we extend XACML to support the new model, and illustrate a prototype implementation of the PDP.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"11 1","pages":"125-136"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74019779","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Omar Chowdhury, Andreas Gampe, Jianwei Niu, J. Ronne, Jared Bennatt, Anupam Datta, Limin Jia, W. Winsborough
Organizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared by the organizations. It is thus incumbent upon the organizations to have means to check compliance with the applicable regulations. Prior work by Barth et. al. introduces two notions of compliance, weak compliance (WC) and strong compliance (SC). WC ensures that present requirements of the policy can be met whereas SC also ensures obligations can be met. An action is compliant with a privacy policy if it is both weakly and strongly compliant. However, their definitions of compliance are restricted to only propositional linear temporal logic (pLTL), which cannot feasibly specify HIPAA. To this end, we present a policy specification language based on a restricted subset of first order temporal logic (FOTL) which can capture the privacy requirements of HIPAA. We then formally specify WC and SC for policies of our form. We prove that checking WC is feasible whereas checking SC is undecidable. We then formally specify the property WC entails SC, denoted by Δ, which requires that each weakly compliant action is also strongly compliant. To check whether an action is compliant with such a policy, it is sufficient to only check whether the action is weakly compliant with that policy. We also prove that when a policy ℘ has the Δ-property, the present requirements of the policy reduce to the safety requirements imposed by ℘. We then develop a sound, semi-automated technique for checking whether practical policies have the Δ-property. We finally use HIPAA as a case study to demonstrate the efficacy of our policy analysis technique.
{"title":"Privacy promises that can be kept: a policy analysis method with application to the HIPAA privacy rule","authors":"Omar Chowdhury, Andreas Gampe, Jianwei Niu, J. Ronne, Jared Bennatt, Anupam Datta, Limin Jia, W. Winsborough","doi":"10.1145/2462410.2462423","DOIUrl":"https://doi.org/10.1145/2462410.2462423","url":null,"abstract":"Organizations collect personal information from individuals to carry out their business functions. Federal privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), mandate how this collected information can be shared by the organizations. It is thus incumbent upon the organizations to have means to check compliance with the applicable regulations. Prior work by Barth et. al. introduces two notions of compliance, weak compliance (WC) and strong compliance (SC). WC ensures that present requirements of the policy can be met whereas SC also ensures obligations can be met. An action is compliant with a privacy policy if it is both weakly and strongly compliant. However, their definitions of compliance are restricted to only propositional linear temporal logic (pLTL), which cannot feasibly specify HIPAA. To this end, we present a policy specification language based on a restricted subset of first order temporal logic (FOTL) which can capture the privacy requirements of HIPAA. We then formally specify WC and SC for policies of our form. We prove that checking WC is feasible whereas checking SC is undecidable. We then formally specify the property WC entails SC, denoted by Δ, which requires that each weakly compliant action is also strongly compliant. To check whether an action is compliant with such a policy, it is sufficient to only check whether the action is weakly compliant with that policy. We also prove that when a policy ℘ has the Δ-property, the present requirements of the policy reduce to the safety requirements imposed by ℘. We then develop a sound, semi-automated technique for checking whether practical policies have the Δ-property. We finally use HIPAA as a case study to demonstrate the efficacy of our policy analysis technique.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"7 1","pages":"3-14"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74059345","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The evolution of information systems sees an increasing need of flexible and sophisticated approaches for the automated detection of anomalies in security policies. One of these anomalies is redundancy, which may increase the total cost of management of the policies and may reduce the performance of access control mechanisms and of other anomaly detection techniques. We consider three approaches that can remove redundancy from access control policies, progressively reducing the number of authorizations in the policy itself. We show that several problems associated with redundancy are NP-hard. We propose exact solutions to two of these problems, namely the Minimum Policy Problem, which consists in computing the minimum policy that represents the behaviour of the system, and the Minimum Irreducible Policy Problem, consisting in computing the redundancy-free version of a policy with the smallest number of authorizations. Furthermore we propose heuristic solutions to those problems. We also present a comparison between the exact and heuristics solutions based on experiments that use policies derived from bibliographical databases.
{"title":"On the notion of redundancy in access control policies","authors":"M. Guarnieri, M. A. Neri, E. Magri, S. Mutti","doi":"10.1145/2462410.2462426","DOIUrl":"https://doi.org/10.1145/2462410.2462426","url":null,"abstract":"The evolution of information systems sees an increasing need of flexible and sophisticated approaches for the automated detection of anomalies in security policies. One of these anomalies is redundancy, which may increase the total cost of management of the policies and may reduce the performance of access control mechanisms and of other anomaly detection techniques. We consider three approaches that can remove redundancy from access control policies, progressively reducing the number of authorizations in the policy itself. We show that several problems associated with redundancy are NP-hard. We propose exact solutions to two of these problems, namely the Minimum Policy Problem, which consists in computing the minimum policy that represents the behaviour of the system, and the Minimum Irreducible Policy Problem, consisting in computing the redundancy-free version of a policy with the smallest number of authorizations. Furthermore we propose heuristic solutions to those problems. We also present a comparison between the exact and heuristics solutions based on experiments that use policies derived from bibliographical databases.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"13 1","pages":"161-172"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88195681","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Suresh Chari, Ted Habeck, Ian Molloy, Youngja Park, Wilfried Teiken
Relying on an access control security policy alone to protect valuable resources is a dangerous practice. Prudent security must engage in other risk management and mitigation techniques to rapidly detect and recover from breaches. In reality, many security policies are either wrong, containing errors, or are misused and abused by malicious employees or compromised accounts; not all granted access is desirable. A popular approach to mitigate against these and other residual threats is to monitor applications to detect misuse and abuse of credentials in near real-time.� We will show a platform for monitoring applications and the use of analytic models on diverse datasets for detecting suspicious user activity. Our platform combines traditional data management systems with BigData platforms to efficiently apply analytics across security relevant data (policies, logs, metadata) and provide administrators a dashboard of the current security status of the organization, and the ability to investigate prioritized alerts. One key analytic in the demo is a novel generalization of the role mining problem as applied to access logs and modeling user behavior for anomalies. Other analytics include conventional statistical measures, Gaussian mixture models and clustering, Markov models, and entropic analysis of requests. This demonstration will walk through a prototype system and describe the analytics and underlying architecture.
{"title":"A bigData platform for analytics on access control policies and logs","authors":"Suresh Chari, Ted Habeck, Ian Molloy, Youngja Park, Wilfried Teiken","doi":"10.1145/2462410.2462433","DOIUrl":"https://doi.org/10.1145/2462410.2462433","url":null,"abstract":"Relying on an access control security policy alone to protect valuable resources is a dangerous practice. Prudent security must engage in other risk management and mitigation techniques to rapidly detect and recover from breaches. In reality, many security policies are either wrong, containing errors, or are misused and abused by malicious employees or compromised accounts; not all granted access is desirable. A popular approach to mitigate against these and other residual threats is to monitor applications to detect misuse and abuse of credentials in near real-time.\u0000 We will show a platform for monitoring applications and the use of analytic models on diverse datasets for detecting suspicious user activity. Our platform combines traditional data management systems with BigData platforms to efficiently apply analytics across security relevant data (policies, logs, metadata) and provide administrators a dashboard of the current security status of the organization, and the ability to investigate prioritized alerts. One key analytic in the demo is a novel generalization of the role mining problem as applied to access logs and modeling user behavior for anomalies. Other analytics include conventional statistical measures, Gaussian mixture models and clustering, Markov models, and entropic analysis of requests. This demonstration will walk through a prototype system and describe the analytics and underlying architecture.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"45 1","pages":"185-188"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84943564","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
While XML has been widely adopted for information sharing over the Internet, the need for efficient XML access control naturally arise. Various XML access control enforcement mechanisms have been proposed in the research community, such as view-based approaches and pre-processing approaches. Each category of solutions has its inherent advantages and disadvantages. For instance, view based approach provides high performance in query evaluation, but suffers from the view maintenance issues. To remedy the problems, we propose a hybrid approach, namely HyXAC: Hybrid XML Access Control. HyXAC provides efficient access control and query processing by maximizing the utilization of available (but constrained) resources. HyXAC first uses the pre-processing approach as a baseline to process queries and define sub-views. In HyXAC, views are not defined in a per-role basis, instead, a sub-view is defined for each access control rule, and roles with identical rules would share the sub-view. Moreover, HyXAC dynamically allocates the available resources (memory and secondary storage) to materialize and cache sub-views to improve query performance. With intensive experiments, we have shown that HyXAC optimizes the usage of system resource, and improves the performance of query processing.
{"title":"HyXAC: a hybrid approach for XML access control","authors":"Manogna Thimma, Tsam Kai Tsui, Bo Luo","doi":"10.1145/2462410.2462424","DOIUrl":"https://doi.org/10.1145/2462410.2462424","url":null,"abstract":"While XML has been widely adopted for information sharing over the Internet, the need for efficient XML access control naturally arise. Various XML access control enforcement mechanisms have been proposed in the research community, such as view-based approaches and pre-processing approaches. Each category of solutions has its inherent advantages and disadvantages. For instance, view based approach provides high performance in query evaluation, but suffers from the view maintenance issues. To remedy the problems, we propose a hybrid approach, namely HyXAC: Hybrid XML Access Control. HyXAC provides efficient access control and query processing by maximizing the utilization of available (but constrained) resources. HyXAC first uses the pre-processing approach as a baseline to process queries and define sub-views. In HyXAC, views are not defined in a per-role basis, instead, a sub-view is defined for each access control rule, and roles with identical rules would share the sub-view. Moreover, HyXAC dynamically allocates the available resources (memory and secondary storage) to materialize and cache sub-views to improve query performance. With intensive experiments, we have shown that HyXAC optimizes the usage of system resource, and improves the performance of query processing.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"249 1","pages":"113-124"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80679209","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Wen Zhang, You Chen, Carl A. Gunter, David M. Liebovitz, B. Malin
In role-based access control (RBAC), roles are traditionally defined as sets of permissions. Roles specified by administrators may be inaccurate, however, such that data mining methods have been proposed to learn roles from actual permission utilization. These methods minimize variation from an information theoretic perspective, but they neglect the expert knowledge of administrators. In this paper, we propose a strategy to enable a controlled evolution of RBAC based on utilization. To accomplish this goal, we extend a subset enumeration framework to search candidate roles for an RBAC model that addresses an objective function which balances administrator beliefs and permission utilization. The rate of role evolution is controlled by an administrator-specified parameter. To assess effectiveness, we perform an empirical analysis using simulations, as well as a real world dataset from an electronic medical record system (EMR) in use at a large academic medical center (over 8000 users, 140 roles, and 140 permissions). We compare the results with several state-of-the-art role mining algorithms using 1) an outlier detection method on the new roles to evaluate the homogeneity of their behavior and 2)a set-based similarity measure between the original and new roles. The results illustrate our method is comparable to the state-of-the-art, but allows for a range of RBAC models which tradeoff user behavior and administrator expectations. For instance, in the EMR dataset, we find the resulting RBAC model contains 22% outliers and a distance of 0.02 to the original RBAC model when the system is biased toward administrator belief, and 13% outliers and a distance of 0.26 to the original RBAC model when biased toward permission utilization.
{"title":"Evolving role definitions through permission invocation patterns","authors":"Wen Zhang, You Chen, Carl A. Gunter, David M. Liebovitz, B. Malin","doi":"10.1145/2462410.2462422","DOIUrl":"https://doi.org/10.1145/2462410.2462422","url":null,"abstract":"In role-based access control (RBAC), roles are traditionally defined as sets of permissions. Roles specified by administrators may be inaccurate, however, such that data mining methods have been proposed to learn roles from actual permission utilization. These methods minimize variation from an information theoretic perspective, but they neglect the expert knowledge of administrators. In this paper, we propose a strategy to enable a controlled evolution of RBAC based on utilization. To accomplish this goal, we extend a subset enumeration framework to search candidate roles for an RBAC model that addresses an objective function which balances administrator beliefs and permission utilization. The rate of role evolution is controlled by an administrator-specified parameter. To assess effectiveness, we perform an empirical analysis using simulations, as well as a real world dataset from an electronic medical record system (EMR) in use at a large academic medical center (over 8000 users, 140 roles, and 140 permissions). We compare the results with several state-of-the-art role mining algorithms using 1) an outlier detection method on the new roles to evaluate the homogeneity of their behavior and 2)a set-based similarity measure between the original and new roles. The results illustrate our method is comparable to the state-of-the-art, but allows for a range of RBAC models which tradeoff user behavior and administrator expectations. For instance, in the EMR dataset, we find the resulting RBAC model contains 22% outliers and a distance of 0.02 to the original RBAC model when the system is biased toward administrator belief, and 13% outliers and a distance of 0.26 to the original RBAC model when biased toward permission utilization.","PeriodicalId":74509,"journal":{"name":"Proceedings of the ... ACM symposium on access control models and technologies. ACM Symposium on Access Control Models and Technologies","volume":"44 1","pages":"37-48"},"PeriodicalIF":0.0,"publicationDate":"2013-06-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84130101","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: