Zhongyuan Xu

Type

Text

Type

Dissertation

Advisor

Stoller, Scott D | Ramakrishnan, I.V. | Johnson, Rob | Molloy, Ian.

Date

2014-12-01

Keywords

access control, computer security, policy mining, role mining | Computer science

Department

Department of Computer Science.

Language

en_US

Source

This work is sponsored by the Stony Brook University Graduate School in compliance with the requirements for completion of degree.

Identifier

http://hdl.handle.net/11401/77317

Publisher

The Graduate School, Stony Brook University: Stony Brook, NY.

Format

application/pdf

Abstract

Advanced models of access control, such as role-based access control (RBAC) and attribute-based access control (ABAC), offer important advantages over lower-level access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC or ABAC can be a major obstacle to adoption of RBAC or ABAC. Policy mining algorithms partially automate the construction of advanced access control policies from ACL policies and possibly other information, such as user and resource attributes. These algorithms can greatly reduce the cost of migration to RBAC or ABAC. This dissertation presents several new policy mining algorithms. First, this dissertation considers mining of role-based policies from ACL policies and possibly other information. The dissertation presents new and flexible algorithms for this problem. The algorithms can easily be used to optimize a variety of RBAC policy quality metrics, including metrics based on policy size, metrics based on interpretability of the roles with respect to user attribute data, and compound metrics that consider size and interpretability. In experiments with publicly available access control policies, one of our algorithms achieves significantly better results than previous work. Next, this dissertation considers mining of parameterized role based policies. Parameterization significantly enhances the scalability of RBAC, by allowing more concise policies. This dissertation defined a parameterized RBAC (PRBAC) framework, in which users and permissions have attributes that are implicit parameters of roles and can be used in role definitions. Algorithms are presented for mining PRBAC policies from ACLs and attribute data. To the best of our knowledge, this is the first PRBAC policy mining algorithm. Evaluation on three small but non-trivial case studies demonstrates the effectiveness of our algorithm. Finally, this dissertation considers mining of attribute-based policies. ABAC allows policies to be written in a concise, flexible, and high-level way. Three versions of the ABAC policy mining problem are considered, differing in the input: (1) mining ABAC policies from ACLs and attribute data, (2) mining ABAC policies from RBAC policies and attribute data, and (3) mining ABAC policies from operation logs and attribute data. Algorithms are presented for all three versions of the problem. Extensions of the algorithms to identify suspected noise in the input data are also described. To the best of our knowledge, these are the first ABAC policy mining algorithms. Evaluations on sample policies and synthetic policies demonstrate the effectiveness of our algorithms. | 136 pages

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.