Supervised Learning-Based Approach Mining ABAC Rules from Existing RBAC Enabled Systems
Keywords:Attribute-based Access Control (ABAC),, Role-Based Access Control (RBAC), Mining ABAC Rule, Supervised Machine Learning
Attribute-Based Access Control (ABAC) is an emerging access control model. It is the more flexible, scalable, and most suitable access control model for today’s large-scale, distributed, and open application environments. It has become an emerging research area nowadays. However, Role-Based Access Control (RBAC) has been the most widely used and general access control model so far. It is simple in administration and policy definition. But user-to-role assignment process of RBAC makes it non-scalable for large-scale organizations with a large number of users. To scale up the growing organization, RBAC needs to be transformed into ABAC. Transforming existing RBAC systems into ABAC is complicated and time-consuming. In this paper, we present a supervised machine learning-based approach to extract attribute-based conditions from the existing RBAC system to construct ABAC rules at the primary level and simplify the process of the transforming RBAC system to ABAC.
M. A. Harrison, W. L. Ruzzo, and J. D. Ullman. Protection in operating systems. Communications of the ACM. 1976; 9(8):461–471.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role based access control models. Compute. 1996; 29(2):38–47.
R. S. Sandhu and P. Samarati. Access control: principle and practice. IEEE communications magazine. 1994; 32(9) :40– 48.
R. S. Sandhu. Lattice-based access control models. Computer. 1993; 26(11): 9–19.
D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical report, MITRE CORP BEDFORD MA(MAC). 1993.
M. Beckerle and L. A. Martucci. Formal definitions for usable access control rule sets from goals to metrics. Proceedings of the Ninth Symposium on Usable Privacy and Security; 24 July; New York, NY, United States: ACM; 2013. p. 1-11.
David F. Ferraiolo, Ravi Sandhu, Serban Gavrila, D. Richard Kuhn, and Ramaswamy Chandramouli. Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security. 2001; 4(3): 224-274.
David F. Ferraiolo, D. Richard Kuhn and Ramaswamy Chandramouli. Role Based Access Control. Second Edition. Artech House Inc, Norwood. 2007.
Erkan et al. Application of Attribute Based Access Control Model for Industrial Control Systems. International Journal of Computer Network and Information Security. 2017; 9(2):12-21
Depavath Harinath and P. Satyanarayana. A Review on Security Issues and Attacks in Distributed Systems. Journal of Advances in Information Technology. 2017; 8(1):1-8.
Hyun-Jin Kim and Im-Yeong Lee. A study on a secure single sign-on for user authentication information privacy in Distributed computing environment. Journal of Communication Networks and Distributed Systems. 2017; 19(1):28-45.
S. Hachana, N. Cuppens-Boulahia, and F. Cuppens. Role mining to assist authorization governance: How far have we gone? International Journal of Secure Software Engineering (IJSSE). 2112; 3(4):45–64.
Coyne Ed. and Timothy R. Weil. ABAC and RBAC: Scalable, flexible, and auditable access management. IT Professional, IEEE Computer Society. 2013; 15(3):14-16.
Dipmala Salunke, Anilkumar Upadhyay, Amol Sarwade, Vaibhav Marde and Sachin Kandekar. A survey paper on Role Based Access Control. International Journal of Advanced Research in Computer and Communication Engineering. 2013; 2(3):1340-1342.
V. C. Hu, D. Ferraiolo, R. Kuhn, A. R. Friedman, A. J. Lang, M. M. Cogdell, A. Schnitzer, K. Sandlin, R. Miller, K. Scarfone, et al. Guide to Attribute Based Access Control (ABAAAC) definition and considerations (draft). NIST special publication. 2014; 800(162).
X. Jin, R. Krishnan, and R. S. Sandhu. A unified attribute-based access control model covering DAC, MAC and RBAC. 26th Conference on Data and Applications Security and Privacy(DBSec); July; Paris, France; 2012; p. 41–55.
H. Takabi and J. B. Joshi. Stateminer: an efficient similarity-based approach for optimal mining of role hierarchy. Proceedings of the 15th ACM symposium on Access control models and technologies; June 9-11; Pittsburgh, Pennsylvania, USA: ACM; 2010; p. 55–64.
I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with semantic meanings. Proceedings of the 13th ACM symposium on Access control models and technologies; June 11-13; Estes Park CO USA:ACM; 2008; p. 21–30.
I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo. Mining roles with multiple objectives. ACM Transactions on Information and System Security (TISSEC). 2010; 13(4):1-35.
J. Vaidya, V. Atluri, and J. Warner. Role miner: mining roles using subset enumeration. Proceedings of the 13th ACM conference on Computer and communications security; Oct 30-Nov 03; Alexandria Virginia USA:ACM; 2006; p. 144–153.
Q. Ni, J. Lobo, S. Calo, P. Rohatgi, and E. Bertino. Automating role-based provisioning by learning from examples. Proceedings of the 14th ACM symposium on Access control models and technologies; June 3-5; Stresa Italy:ACM; 2009; p. 75–84..
Z. Xu and S. D. Stoller. Algorithms for mining meaningful roles. Proceedings of the 17th ACM symposium on Access Control Models and Technologies; June 20-22; Newark New Jersey USA:ACM; 2012; p. 57–66.
L. Karimi, M. Aldairi, J. Joshi and M. Abdelhakim. An Automatic Attribute Based Access Control Policy Extraction from Access Logs. IEEE Transactions on Dependable and Secure Computing. 2022; 19: 2304-2317.
Matthew W Sanders and Chuan. Mining Least Privilege Attribute Based Access Control Policies. ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference; December 9-13; San Juan Puerto Rico USA:ACM; 2019; p. 404–416.
Z. Xu and S. D. Stoller. Mining attribute-based access control policies from rbac policies. Emerging Technologies for a Smarter World (CEWIT), 2013 10th International Conference and Expo; Oct 21-22; Melville, NY:IEEE; 2013; p. 1–6.
Z. Xu and S. D. Stoller. Mining attribute-based access control policies from logs. IFIP Annual Conference on Data and Applications Security and Privacy; July 14-16; Vienna, Austria:Springer; 2014;. p. 276–291.
Z. Xu and S. D. Stoller. Mining attribute-based access control policies. IEEE Transactions on Dependable and Secure Computing. 2015; 12(5):533–545.
Amani Abou Rida, Nour Assy, Walid Gaaloul. Extracting Attribute-Based Access Control Rules From Business Process Event Logs. Proceedings of the 2nd International Conference on Big Data and Cyber-Security Intelligence; December 16-17; Versailles, France; 2019; p. 38-45.
Carlos Cotrini, Thilo Weghorn, David Basin. Mining ABAC Rules from Sparse Logs. IEEE European Symposium on Security and Privacy (EuroS&P); April 24-26; London, UK:IEEE; 2018; p. 31-46.
How to Cite
Copyright (c) 2022 Gurucharansingh Sahani, Chirag Thaker, Sanjay Shah
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
This is an open access article distributed under the terms of the CC BY-NC-SA 4.0, which permits copying, redistributing, remixing, transformation, and building upon the material in any medium so long as the original work is properly cited.