Access Control Policy Generation Method Based on Access Control Logs

LIU Aodi; DU Xuehui; WANG Na; SHAN Dibin; ZHANG Liu

doi:10.11999/JEIT200924

Volume 44 Issue 1

Jan. 2022

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2022 > 44(1): 324-331

LIU Aodi, DU Xuehui, WANG Na, SHAN Dibin, ZHANG Liu. Access Control Policy Generation Method Based on Access Control Logs[J]. Journal of Electronics & Information Technology, 2022, 44(1): 324-331. doi: 10.11999/JEIT200924

Citation:

LIU Aodi, DU Xuehui, WANG Na, SHAN Dibin, ZHANG Liu. Access Control Policy Generation Method Based on Access Control Logs[J]. Journal of Electronics & Information Technology, 2022, 44(1): 324-331. doi: 10.11999/JEIT200924

Citation:

PDF( 4242 KB)

Access Control Policy Generation Method Based on Access Control Logs

doi: 10.11999/JEIT200924

1.
Information Engineering University, Zhengzhou 450001, China
2.
He’nan Province Key Laboratory of Information Security, Zhengzhou 450001, China

Funds: National Key Research and Development Program of China (2018YFB0803603, 2016YFB0501901), The National Natural Science Foundation of China (61802436, 61902447)

Received Date: 2020-10-29
Rev Recd Date: 2021-09-19

Available Online: 2021-09-29

Publish Date: 2022-01-10

Abstract

Abstract

To overcome the policy generation problem faced by other access control mechanism in the process of migration to attribution-based access control mechanism, an access control policy generation method based on access control log is proposed. The recursive attribute elimination method is utilized to implement attribute selection. Based on information impurity, the attribute-permission relationship is extracted from the access control logs, and the result of entity attribute selection is combined to build the policy structure tree, so as to realize the policy generation of Attribute-Based Access Control (ABAC). In addition, an optimization algorithm based on binary search is designed to calculate quickly the parameters of the optimal policy generation. The experimental results show that only 32.56% of the attribute information in the original entity attribute set can be used to cover 95% of the permission in the log. The size of the policies is also reduced to 33.33% of the original size. The effectiveness of the scheme is proved.
- Access control,
- Attribute-Based Access Control (ABAC),
- Policy generation,
- Attribute selection

FullText(HTML)

References(21)

References

[1]	房梁, 殷丽华, 郭云川, 等. 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017, 40(7): 1680–1698. doi: 10.11897/SP.J.1016.2017.01680 FANG Liang, YIN Lihua, GUO Yunchuan, et al. A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017, 40(7): 1680–1698. doi: 10.11897/SP.J.1016.2017.01680
[2]	刘敖迪, 杜学绘, 王娜, 等. 基于区块链的大数据访问控制机制[J]. 软件学报, 2019, 30(9): 2636–2654. LIU Aodi, DU Xuehui, WANG Na, et al. Blockchain-based access control mechanism for big data[J]. Journal of Software, 2019, 30(9): 2636–2654.
[3]	XU Zhongyuan and STOLLER S D. Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(5): 533–545. doi: 10.1109/TDSC.2014.2369048
[4]	Guide to Attribute Based Access Control (ABAC) Definition and Considerations[EB/OL]. NIST Special Publication 800–162. http://www.nist.gov/manuscript-publication-search.cfm?pub_id=915660,2014.
[5]	Market Trends: Cloud-based security services market[EB/OL]. https://www.gartner.com/doc/2607617, 2013.
[6]	LIU Aodi, DU Xuehui, and WANG Na. Access control role evolution mechanism for open computing environment[J]. Electronics, 2020, 9(3): 517. doi: 10.3390/electronics9030517
[7]	BLUNDO C, CIMATO S, and SINISCALCHI L. PRUCC-RM: Permission-role-usage cardinality constrained role mining[C]. 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), Turin, Italy, 2017: 149–154.
[8]	DONG Lijun, WANG Yi, LIU Ran, et al. Toward edge minability for role mining in bipartite networks[J]. Physica A:Statistical Mechanics and its Applications, 2016, 462: 274–286. doi: 10.1016/j.physa.2016.06.068
[9]	VAVILIS S, EGNER A I, PETKOVIĆ M, et al. Role mining with missing values[C]. 2016 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria, 2016: 167–176.
[10]	MITRA B, SURAL S, VAIDYA J, et al. Mining temporal roles using many-valued concepts[J]. Computers & Security, 2016, 60: 79–94.
[11]	周超, 任志宇, 毋文超. 基于形式概念分析的语义角色挖掘算法[J]. 计算机科学, 2018, 45(12): 117–122,129. ZHOU Chao, REN Zhiyu, and WU Wenchao. Semantic roles mining algorithms based on formal concept analysis[J]. Computer Science, 2018, 45(12): 117–122,129.
[12]	MEDVET E, BARTOLI A, CARMINATI B, et al. Evolutionary inference of attribute-based access control policies[C]. 8th International Conference on Evolutionary Multi-Criterion Optimization, Guimarães, Portugal, 2015: 351–365.
[13]	KARIMI L and JOSHI J. An unsupervised learning based approach for mining attribute based access control policies[C]. 2018 IEEE International Conference on Big Data (Big Data), Seattle, USA, 2018: 1427–1436.
[14]	IYER P and MASOUMZADEH A. Mining positive and negative attribute-based access control policy rules[C]. The 23nd ACM on Symposium on Access Control Models and Technologies, Indiana, USA, 2018: 161–172.
[15]	MOCANU D, TURKMEN F, and LIOTTA A. Towards ABAC policy mining from logs with deep learning[C]. The 18th International Multiconference, Slovenia, 2015.
[16]	NAROUEI M, KHANPOUR H, and TAKABI H. Identification of access control policy sentences from natural language policy documents[C]. 31st IFIP Annual Conference on Data and Applications Security and Privacy, Philadelphia, USA, 2017: 82–100.
[17]	NAROUEI M, KHANPOUR H, TAKABI H, et al. Towards a top-down policy engineering framework for attribute-based access control[C]. The 22nd ACM on Symposium on Access Control Models and Technologies, Indiana, USA, 2017: 103–114.
[18]	ALOHALY M, TAKABI H, and BLANCO E. A deep learning approach for extracting attributes of ABAC policies[C]. The 23nd ACM on Symposium on Access Control Models and Technologies, Indiana, USA, 2018: 137–148.
[19]	HUANG Xiaojuan, ZHANG Li, WANG Bangjun, et al. Feature clustering based support vector machine recursive feature elimination for gene selection[J]. Applied Intelligence, 2018, 48(3): 594–607. doi: 10.1007/s10489-017-0992-2
[20]	RAO Haidi, SHI Xianzhang, RODRIGUE A K, et al. Feature selection based on artificial bee colony and gradient boosting decision tree[J]. Applied Soft Computing, 2019, 74: 634–642. doi: 10.1016/j.asoc.2018.10.036
[21]	KUANG Wei, CHAN Y L, TSANG S H, et al. Machine learning-based fast intra mode decision for HEVC screen content coding via decision trees[J]. IEEE Transactions on Circuits and Systems for Video Technology, 2020, 30(5): 1481–1496. doi: 10.1109/TCSVT.2019.2903547