A log-based rich-semantic attribute-based access control (ABAC) policy mining method was proposed, to deal with fine-grained access control in large-scale information system, and to mine out readable, accurate and complete ABAC policy set, which is consistent with subject behavior profiles, so as to provide strong support for security administrator on constructing, maintaining and optimizing ABAC policy set. ABAC policies consistent with subject behavior are found out from access log and attribute data by frequent pattern mining in the proposed method. The rich-semantic ABAC policy set is obtained by correctness and semantic quality analysis. The accuracy and the completeness of the method were verified using cross-validation technique. The F1-score on public dataset was 0.8375, and that on handmade dataset was 0.9394. Validation on handmade dataset indicates that the method can mine policy set with higher quality than existing ones on small train set. The improvement of semantic quality of authorization rules is also proved on the handmade dataset.
Tab.1Dataset information about AmazonEmployee and HealthCare
Fig.2Influence of parameter T on F1-score of two algorithms
Fig.3Influence of parameter $K$ on F1-score of two algorithms
Fig.4Influence of train set ratio on TPR/Recall of two algorithms
Fig.5Influence of train set ratio on FPR of two algorithms
Fig.6Influence of train set ratio on Precision of two algorithms
Fig.7Influence of train set ratio on F1-score of two algorithms
数据集
算法
TPR/Recall
FPR
Precision
F1-score
Amazon-Employee
LRSAPM
0.9522
0.6200
0.7475
0.8375
Rhapsody
0.9906
0.0018
0.0114
0.0226
Health-Care
LPSAPM
1
0
0.8858
0.9394
Rhapsody
0.9092
0.0186
0.6892
0.7833
Tab.2Comparison of F1-score of two algorithms on two datatsets
[1]
SANDHU R S, SAMARATI P Access control: principle and practice[J]. IEEE Communications Magazine, 1994, 32 (9): 40- 48
doi: 10.1109/35.312842
[2]
王小明, 付红, 张立臣 基于属性的访问控制研究进展[J]. 电子学报, 2010, (7): 33 WANG Xiao-ming, FU Hong, ZHANG Li-chen Research progress on attribute-based access control[J]. Acta Electronica Sinica, 2010, (7): 33
[3]
房梁, 殷丽华, 郭云川, 等 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017, 40 (7): 1680- 1698 FANG Liang, YIN Li-hua, GUO Yun-chuan, et al A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017, 40 (7): 1680- 1698
doi: 10.11897/SP.J.1016.2017.01680
[4]
DAS S, MITRA B, ATLURI V, et al. Policy engineering in RBAC and ABAC [M]// From database to cyber security. Cham: Springer, 2018: 24-54.
[5]
HU V, FERRAIOLO D, KUHN R, et al. Guide to attribute based access control (ABAC) definition and considerations [R/OL]. (2019-02-15). https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=914795.
[6]
JIN Z, CUI Y, YAN Z. Survey of intrusion detection methods based on data mining algorithms [C]// Proceedings of the 2019 International Conference on Big Data Engineering. New York: ACM, 2019: 98-106.
[7]
BAUER L, GARRISS S, REITER M K Detecting and resolving policy misconfigurations in access-control systems[J]. ACM Transactions on Information and System Security, 2011, 14 (1): 2
[8]
BAUER L, LIANG Y, REITER M K, et al. Discovering access-control misconfigurations: new approaches and evaluation methodologies [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio: ACM, 2012: 95-104.
[9]
NAROUEI M, KHANPOUR H, TAKABI H, et al. Towards a top-down policy engineering framework for attribute-based access control [C]// Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2017: 103-114.
[10]
XU Z, STOLLER S D Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2014, 12 (5): 533- 545
[11]
TALUKDAR T, BATRA G, VAIDYA J, et al. Efficient bottom-up mining of attribute based access control policies [C]// 2017 IEEE 3rd International Conference on Collaboration and Internet Computing. San Jose: IEEE, 2017: 339-348.
[12]
KARIMI L, JOSHI J. An unsupervised learning based approach for mining attribute based access control policies [C]// 2018 IEEE International Conference on Big Data. Seattle: IEEE, 2018: 1427-1436.
[13]
XU Z, STOLLER S D. Mining attribute-based access control policies from logs [C]// IFIP Annual Conference on Data and Applications Security and Privacy. Heidelberg: Springer, 2014: 276-291.
[14]
MOCANU D, TURKMEN F, LIOTTA A. Towards ABAC policy mining from logs with deep learning [C]// Proceedings of the 18th International Multiconference. Ljubljana: Intelligent Systems, 2015.
[15]
COTRINI C, WEGHORN T, BASIN D. Mining ABAC rules from sparse logs [C]// 2018 IEEE European Symposium on Security and Privacy. London: IEEE, 2018: 31-46.
[16]
IYER P, MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 161-172.
[17]
DAS S, SURAL S, VAIDYA J, et al. Using gini impurity to mine attribute-based access control policies with environment attributes [C]// Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies. Indianapolis: ACM, 2018: 213-215.
[18]
AGRAWAL R, SRIKANT R. Fast algorithms for mining association rules [C]// Proceedings of the 20th International Conference on Very Large Data Bases. San Francisco: ACM, 1994, 1215: 487-499.
[19]
AGRAWAL R, IMIELINSKI T, SWAMI A. Mining association rules between sets of items in large databases [C]// Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data. Washington: ACM, 1993: 207-216.
