Paper Info
Title
The Next 700 Policy Miners: A Universal Method for Building Policy Miners
Abstract
A myriad of access control policy languages have been and continue to be proposed. The design of policy miners for each such language is a challenging task that has required specialized machine learning and combinatorial algorithms. We present an alternative method, universal access control policy mining (Unicorn). We show how this method streamlines the design of policy miners for a wide variety of policy languages including ABAC, RBAC, RBAC with user-attribute constraints, RBAC with spatio-temporal constraints, and an expressive fragment of XACML. For the latter two, there were no known policy miners until now. To design a policy miner using Unicorn, one needs a policy language and a metric quantifying how well a policy fits an assignment of permissions to users. From these, one builds the policy miner as a search algorithm that computes a policy that best fits the given permission assignment. We experimentally evaluate the policy miners built with Unicorn on logs from Amazon and access control matrices from other companies. Despite the genericity of our method, our policy miners are competitive with and sometimes even better than specialized state-of-the-art policy miners. The true positive rates of policies we mined differ by only 5% from the policies mined by the state of the art and the false positive rates are always below 5%. In the case of ABAC, it even outperforms the state of the art.
Year
DOI
Venue
2019
10.1145/3319535.3354196
Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
Keywords
Field
DocType
access control, machine learning, policy mining, security policies
Internet privacy,Computer science,Computer security
Conference
ISBN
Citations 
PageRank 
978-1-4503-6747-9
1
0.35
References 
Authors
0
4
Name
Order
Citations
PageRank
Carlos Cotrini140.74
Luca Corinzia212.38
Thilo Weghorn351.10
David A. Basin44930281.93