Please wait a minute...
浙江大学学报(工学版)  2020, Vol. 54 Issue (11): 2149-2157    DOI: 10.3785/j.issn.1008-973X.2020.11.010
计算机与控制工程     
基于日志的富语义ABAC策略挖掘
毋文超(),任志宇*(),杜学绘
信息工程大学,河南 郑州 450001
Log-based rich-semantic ABAC policy mining
Wen-chao WU(),Zhi-yu REN*(),Xue-hui DU
Information Engineering University, Zhengzhou 450001, China
 全文: PDF(804 KB)   HTML
摘要:

为了解决大规模环境下的细粒度访问控制问题,挖掘出易于人工阅读、契合主体行为模式、精确完备的基于属性的访问控制(ABAC)策略,从而为安全管理员进行策略构建、维护和优化提供有力支撑,提出基于日志的富语义ABAC策略挖掘方法. 该方法基于频繁模式挖掘算法,从访问日志和属性数据中挖掘契合主体行为模式的ABAC策略. 对策略进行正确性和语义质量分析获得富语义ABAC策略集. 通过交叉验证方法对策略集的精确性和完备性进行验证,算法在公开数据集上的F1得分为0.8375,在手写数据集上的F1得分为0.9394. 在手写数据集上的验证表明,算法可以在较小训练集上得到比现有算法更高质量的策略集,所得授权规则在易读性方面有所提升.

关键词: 基于属性的访问控制(ABAC)策略挖掘访问日志频繁模式挖掘富语义策略    
Abstract:

A log-based rich-semantic attribute-based access control (ABAC) policy mining method was proposed, to deal with fine-grained access control in large-scale information system, and to mine out readable, accurate and complete ABAC policy set, which is consistent with subject behavior profiles, so as to provide strong support for security administrator on constructing, maintaining and optimizing ABAC policy set. ABAC policies consistent with subject behavior are found out from access log and attribute data by frequent pattern mining in the proposed method. The rich-semantic ABAC policy set is obtained by correctness and semantic quality analysis. The accuracy and the completeness of the method were verified using cross-validation technique. The F1-score on public dataset was 0.8375, and that on handmade dataset was 0.9394. Validation on handmade dataset indicates that the method can mine policy set with higher quality than existing ones on small train set. The improvement of semantic quality of authorization rules is also proved on the handmade dataset.

Key words: attribute-based access control (ABAC)    policy mining    access log    frequent pattern mining    rich-semantic policy
收稿日期: 2019-11-23 出版日期: 2020-12-15
CLC:  TP 309  
基金资助: 国家自然科学基金资助项目(61702550,61802436);国家重点研发计划资助项目(2018YFB0803603)
通讯作者: 任志宇     E-mail: 3130104330@zju.edu.cn;ren_ktzy@163.com
作者简介: 毋文超(1995—),男,硕士生,从事访问控制研究. orcid.org/0000-0002-4731-1223. E-mail: 3130104330@zju.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
毋文超
任志宇
杜学绘

引用本文:

毋文超,任志宇,杜学绘. 基于日志的富语义ABAC策略挖掘[J]. 浙江大学学报(工学版), 2020, 54(11): 2149-2157.

Wen-chao WU,Zhi-yu REN,Xue-hui DU. Log-based rich-semantic ABAC policy mining. Journal of ZheJiang University (Engineering Science), 2020, 54(11): 2149-2157.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2020.11.010        http://www.zjujournals.com/eng/CN/Y2020/V54/I11/2149

图 1  LRSAPM算法流程图
数据集信息 日志条目数量 主体数量 主体属性数量 客体数量 客体属性数量
Amazon-Employee 32769 4244 8 7519 1
HealthCare 2724 21 6 18 7
表 1  AmazonEmployee和HealthCare的数据集信息
图 2  参数T对2种算法F1得分的影响
图 3  参数 $K$对2种算法F1得分的影响
图 4  训练集比例对2种算法TPR/Recall的影响
图 5  训练集比例对2种算法FPR的影响
图 6  训练集比例对2种算法Precision的影响
图 7  训练集比例对2种算法F1得分的影响
数据集 算法 TPR/Recall FPR Precision F1-score
Amazon-Employee LRSAPM 0.9522 0.6200 0.7475 0.8375
Rhapsody 0.9906 0.0018 0.0114 0.0226
Health-Care LPSAPM 1 0 0.8858 0.9394
Rhapsody 0.9092 0.0186 0.6892 0.7833
表 2  2种算法在2个数据集上的F1得分对比
1 SANDHU R S, SAMARATI P Access control: principle and practice[J]. IEEE Communications Magazine, 1994, 32 (9): 40- 48
doi: 10.1109/35.312842
2 王小明, 付红, 张立臣 基于属性的访问控制研究进展[J]. 电子学报, 2010, (7): 33
WANG Xiao-ming, FU Hong, ZHANG Li-chen Research progress on attribute-based access control[J]. Acta Electronica Sinica, 2010, (7): 33
3 房梁, 殷丽华, 郭云川, 等 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017, 40 (7): 1680- 1698
FANG Liang, YIN Li-hua, GUO Yun-chuan, et al A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017, 40 (7): 1680- 1698
doi: 10.11897/SP.J.1016.2017.01680
4 DAS S, MITRA B, ATLURI V, et al. Policy engineering in RBAC and ABAC [M]// From database to cyber security. Cham: Springer, 2018: 24-54.
5 HU V, FERRAIOLO D, KUHN R, et al. Guide to attribute based access control (ABAC) definition and considerations [R/OL]. (2019-02-15). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=914795.
6 JIN Z, CUI Y, YAN Z. Survey of intrusion detection methods based on data mining algorithms [C]// Proceedings of the 2019 International Conference on Big Data Engineering. New York: ACM, 2019: 98-106.
7 BAUER L, GARRISS S, REITER M K Detecting and resolving policy misconfigurations in access-control systems[J]. ACM Transactions on Information and System Security, 2011, 14 (1): 2
8 BAUER L, LIANG Y, REITER M K, et al. Discovering access-control misconfigurations: new approaches and evaluation methodologies [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio: ACM, 2012: 95-104.
9 NAROUEI M, KHANPOUR H, TAKABI H, et al. Towards a top-down policy engineering framework for attribute-based access control [C]// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2017: 103-114.
10 XU Z, STOLLER S D Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 12 (5): 533- 545
11 TALUKDAR T, BATRA G, VAIDYA J, et al. Efficient bottom-up mining of attribute based access control policies [C]// 2017 IEEE 3rd International Conference on Collaboration and Internet Computing. San Jose: IEEE, 2017: 339-348.
12 KARIMI L, JOSHI J. An unsupervised learning based approach for mining attribute based access control policies [C]// 2018 IEEE International Conference on Big Data. Seattle: IEEE, 2018: 1427-1436.
13 XU Z, STOLLER S D. Mining attribute-based access control policies from logs [C]// IFIP Annual Conference on Data and Applications Security and Privacy. Heidelberg: Springer, 2014: 276-291.
14 MOCANU D, TURKMEN F, LIOTTA A. Towards ABAC policy mining from logs with deep learning [C]// Proceedings of the 18th International Multiconference. Ljubljana: Intelligent Systems, 2015.
15 COTRINI C, WEGHORN T, BASIN D. Mining ABAC rules from sparse logs [C]// 2018 IEEE European Symposium on Security and Privacy. London: IEEE, 2018: 31-46.
16 IYER P, MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 161-172.
17 DAS S, SURAL S, VAIDYA J, et al. Using gini impurity to mine attribute-based access control policies with environment attributes [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 213-215.
18 AGRAWAL R, SRIKANT R. Fast algorithms for mining association rules [C]// Proceedings of the 20th International Conference on Very Large Data Bases. San Francisco: ACM, 1994, 1215: 487-499.
19 AGRAWAL R, IMIELINSKI T, SWAMI A. Mining association rules between sets of items in large databases [C]// Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data. Washington: ACM, 1993: 207-216.
[1] 刘敖迪, 王娜, 刘明聪. 基于策略属性协商的云间组合服务访问控制机制[J]. 浙江大学学报(工学版), 2017, 51(12): 2332-2340.
[2] 田景红, 潘晓弘, 王正肖. 基于频繁模式挖掘的实时供应链数据分析[J]. J4, 2009, 43(12): 2259-2263.