Ian Molloy,Ninghui Li,Jorge Lobo,Yuan Qi,Luke Dickens

2010-01-01

Abstract:There has been increasing interest in automatic techniques for generating roles for role-based access control, a process known as role mining. Most role mining approaches assume the input data is clean, and attempt to optimize the RBAC state. We examine role mining with noisy input data and suggest dividing the problem into two steps: noise removal and candidate role generation. We introduce an approach to use (non-binary) rank reduced matrix factorization to identify noise and experimentally show that it is effective at identifying noise in access control data. User- and permission-attributes can further be used to improve accuracy. Next, we show that our two-step approach is able to find candidate roles that are close to the roles mined from noise-less data. This method performs better than the approach of mining noisy data directly and offering the administrator increased control in the noise removal and candidate role generation phases. We note that our approach is applicable outside role engineering and may be used to identify errors or predict missing values in any access control matrix.

Mario Frank,Joachim M. Buhmann,David Basin

DOI: https://doi.org/10.48550/arXiv.1212.4775

2013-01-05

Abstract:Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this paper, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix. Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models' generalization abilities depend on the dataset given.

Cryptography and Security,Machine Learning

Scott D. Stoller,Thang Bui

DOI: https://doi.org/10.48550/arXiv.1603.02640

2017-10-16

Abstract:Temporal role-based access control (TRBAC) extends role-based access control to limit the times at which roles are enabled. This paper presents a new algorithm for mining high-quality TRBAC policies from timed ACLs (i.e., ACLs with time limits in the entries) and optionally user attribute information. Such algorithms have potential to significantly reduce the cost of migration from timed ACLs to TRBAC. The algorithm is parameterized by the policy quality metric. We consider multiple quality metrics, including number of roles, weighted structural complexity (a generalization of policy size), and (when user attribute information is available) interpretability, i.e., how well role membership can be characterized in terms of user attributes. Ours is the first TRBAC policy mining algorithm that produces hierarchical policies, and the first that optimizes weighted structural complexity or interpretability. In experiments with datasets based on real-world ACL policies, our algorithm is more effective than previous algorithms at optimizing policy quality.

Cryptography and Security

Carlo Blundo,Stelvio Cimato

DOI: https://doi.org/10.48550/arXiv.1203.3744

2012-03-16

Abstract:Role Based Access Control (RBAC) is a very popular access control model, for long time investigated and widely deployed in the security architecture of different enterprises. To implement RBAC, roles have to be firstly identified within the considered organization. Usually the process of (automatically) defining the roles in a bottom up way, starting from the permissions assigned to each user, is called {\it role mining}. In literature, the role mining problem has been formally analyzed and several techniques have been proposed in order to obtain a set of valid roles. Recently, the problem of defining different kind of constraints on the number and the size of the roles included in the resulting role set has been addressed. In this paper we provide a formal definition of the role mining problem under the cardinality constraint, i.e. restricting the maximum number of permissions that can be included in a role. We discuss formally the computational complexity of the problem and propose a novel heuristic. Furthermore we present experimental results obtained after the application of the proposed heuristic on both real and synthetic datasets, and compare the resulting performance to previous proposals

Cryptography and Security

Hejiao Huang,Feng Shang,Jinling Liu,Hongwei Du

DOI: https://doi.org/10.1007/s10878-013-9633-9

2013-01-01

Journal of Combinatorial Optimization

Abstract:For a given role-based access control (RBAC) configuration, user-role assignment satisfying least privilege principle (specified as LPUAP) is one of the most important problems to be solved in information security. LPUAP has been proved to be NP-hard. This paper gives several efficient greedy algorithms for handling this problem. Experiment results show that the output of our algorithms is almost optimal while the running time is greatly reduced. In another case where a RBAC configuration is to be set up, minimizing the descriptive set of roles (specified as Basic-RMP) and minimizing the administrative assignments for roles (specified as Edge-RMP) can greatly decrease the management costs. Both role mining problems (i.e., Basic-RMP and Edge-RMP) have also been proved to be NP-hard. This paper converts Basic-RMP to set cover problem and Edge-RMP to weighted set cover problem, and two algorithms respectively named \(GA_{Basic}\) algorithm for Basic-RMP and \(GA_{Edge}\) algorithm for Edge-RMP, are designed. Experiment results show that the average similarity rate between role sets produced by \(GA_{Basic}\) algorithm and the original ones used in generating the dataset is above 90 %. However, in the process of converting role mining into Set Cover Problem, the number of candidate role set is very large. In order to reduce the complexity of the \(GA_{Basic}\) algorithm, this paper presents a new polynomial-time algorithm with a performance nearly the same as that of \(GA_{Basic}\) algorithm.

Chao Huang,Jian-ling Sun,Xin-yu Wang,Yuan-jie Si

DOI: https://doi.org/10.1631/jzus.c0910186

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Web service composition is a low cost and efficient way to leverage the existing resource and implementation. In current Web service composition implementations, the issue of how to define the role for a new composite Web service has been little addressed. Adjusting the access control policy for a new composite Web service always causes substantial administration overhead from the security administrator. Furthermore, the distributed nature of Web service based applications makes traditional role mining methods obsolete. In this paper, we analyze the minimal role mining problem for Web service composition, and prove that this problem is NP-complete. We propose a sub-optimal greedy algorithm based on the analysis of necessary role mapping for interoperation across multiple domains. Simulation shows the effectiveness of our algorithm, and compared to the existing methods, our algorithm has significant performance advantages. We also demonstrate the practical application of our method in a real agent based Web service system. The results show that our method could find the minimal role mapping efficiently.

Alessandro Colantonio,Roberto Di Pietro,Alberto Ocello

DOI: https://doi.org/10.1145/1363686.1364198

2008-01-01

Abstract:In recent years role-based access control (RBAC) has been spreading within organizations. However, companies still have considerable difficulty migrating to this model, due to the complexity involved in identifying a set of roles fitting the real needs of the company. All the various role engineering methods proposed thus far lack a metric for measuring the "quality" of candidate roles produced. This paper proposes a new approach guided by a cost-based metric, where "cost" represents the effort to administer the resulting RBAC. Further, we propose REAM (Role-Based Association-rule Mining), an algorithm leveraging the cost metric to find candidate role-sets with the lowest possible administration cost. For a specific parameter set, RBAM behaves as already existing role mining algorithms and is, worst case, NP-complete. Yet, we will provide several examples showing the sensibility of assumptions made by the algorithm. Further, application of the algorithm to real data will highlight the improvements over current solutions. Finally, we comment on the direction of future research.

Weidong Zhao,Mao Ye

2007-01-01

Abstract:Workflow mining can extract workflow models from event logs but the models are almost activity-based In this paper, we aim at workflow mining from the perspective of roles. In doing so, the URPA model is extended to produce the role-based USPA (user-sub role-permission-act) model. Then the RAD-based workflow-mining algorithm is proposed to satisfy USPA model, which makes use of process supervisors to represent role-based workflow models with the block structure.

Xinyi Zhang,Weili Han,Zheran Fang,Yuliang Yin,Hossen A. Mustafa

DOI: https://doi.org/10.1145/2484417.2484423

2013-01-01

Abstract:Role mining is a very useful engineering method to help administrators set up the mechanism of role based access control for information systems, but not applied in the Android security framework so far. This paper uses large volume Android applications from the Android Market (Google Play Store now), which include 44,971 applications (subjects), 125 permissions, and 222,734 application-permission assignments (application, permission), to evaluate the effectiveness of five popular role mining algorithms: HM, HPr, HPe, GO, and ORCA. Furthermore, according to the features of Android applications, we propose Mine-Tag, an algorithm that generates tags based on the descriptions of Android applications. These tags can be attached to each mined role to help administrators manage the roles. We set up experiments, evaluate algorithms, and discuss the insights of mining methods in Android applications.

赵卫东,戴伟辉

DOI: https://doi.org/10.3321/j.issn:1001-506x.2008.05.044

2008-01-01

Abstract:Workflow mining extracts information from event logs to capture workflow models but it is almost activity-driven at the present time.The mining workflow from the perspective of role concept is proposed.In doing so,the user-role-permission-act(URPA)model is first modified to produce the role-based user-sub role-permission-act(USPA)model.Then using the USPA model,a role activity diagram(RAD) based on workflow-mining algorithm is proposed,which results in workflow models made up of role blocks and management roles.

Weifan Long,Wen,Peng Zhai,Lihua Zhang

2024-01-01

Abstract:Zero-shot coordination problem in multi-agent reinforcement learning (MARL), which requires agents to adapt to unseen agents, has attracted increasing attention. Traditional approaches often rely on the Self-Play (SP) framework to generate a diverse set of policies in a policy pool, which serves to improve the generalization capability of the final agent. However, these frameworks may struggle to capture the full spectrum of potential strategies, especially in real-world scenarios that demand agents balance cooperation with competition. In such settings, agents need strategies that can adapt to varying and often conflicting goals. Drawing inspiration from Social Value Orientation (SVO)-where individuals maintain stable value orientations during interactions with others-we propose a novel framework called Role Play (RP). RP employs role embeddings to transform the challenge of policy diversity into a more manageable diversity of roles. It trains a common policy with role embedding observations and employs a role predictor to estimate the joint role embeddings of other agents, helping the learning agent adapt to its assigned role. We theoretically prove that an approximate optimal policy can be achieved by optimizing the expected cumulative reward relative to an approximate role-based policy. Experimental results in both cooperative (Overcooked) and mixed-motive games (Harvest, CleanUp) reveal that RP consistently outperforms strong baselines when interacting with unseen agents, highlighting its robustness and adaptability in complex environments.

Dana Zhang,Kotagiri Ramamohanarao,Steven Versteeg,Rui Zhang

DOI: https://doi.org/10.1145/1852666.1852694

2010-01-01

Abstract:Role Engineering for Role Based Access Control (RBAC) has emerged as a challenging area of research, both in industry and academia. The problem originates from the practical need to create a set of roles that accurately reflects the internal functionalities of an enterprise. Existing approaches that have used data mining techniques for this problem often generate too many candidate roles and do not consider the effect of a given combination of roles on the overall configuration. Identification of an ideal RBAC solution is only possible with a clear and concise evaluation of the RBAC configuration goals. To address this issue, we discuss use of the graph model for the Role Engineering problem and show how effective this approach is in the search for a role engineering solution. We evaluate and formalise the problem of identifying the minimum number of descriptive roles for RBAC using a graph model and propose how its variations can be represented. Finally, we introduce novel strategies using the proposed models for future innovation and perform experimentation on both real and synthetically generated data.

Rubina Ghazal,Ahmad Kamran Malik,Basit Raza,Nauman Qadeer,Nafees Qamar,Sajal Bhatia

DOI: https://doi.org/10.3390/s21134253

2021-06-22

Abstract:Significance and popularity of Role-Based Access Control (RBAC) is inevitable; however, its application is highly challenging in multi-domain collaborative smart city environments. The reason is its limitations in adapting the dynamically changing information of users, tasks, access policies and resources in such applications. It also does not incorporate semantically meaningful business roles, which could have a diverse impact upon access decisions in such multi-domain collaborative business environments. We propose an Intelligent Role-based Access Control (I-RBAC) model that uses intelligent software agents for achieving intelligent access control in such highly dynamic multi-domain environments. The novelty of this model lies in using a core I-RBAC ontology that is developed using real-world semantic business roles as occupational roles provided by Standard Occupational Classification (SOC), USA. It contains around 1400 business roles, from nearly all domains, along with their detailed task descriptions as well as hierarchical relationships among them. The semantic role mining process is performed through intelligent agents that use word embedding and a bidirectional LSTM deep neural network for automated population of organizational ontology from its unstructured text policy and, subsequently, matching this ontology with core I-RBAC ontology to extract unified business roles. The experimentation was performed on a large number of collaboration case scenarios of five multi-domain organizations and promising results were obtained regarding the accuracy of automatically derived RDF triples (Subject, Predicate, Object) from organizational text policies as well as the accuracy of extracted semantically meaningful roles.

Zhongyuan Xu,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.1306.2401

2014-08-08

Abstract:Attribute-based access control (ABAC) provides a high level of flexibility that promotes security and information sharing. ABAC policy mining algorithms have potential to significantly reduce the cost of migration to ABAC, by partially automating the development of an ABAC policy from an access control list (ACL) policy or role-based access control (RBAC) policy with accompanying attribute data. This paper presents an ABAC policy mining algorithm. To the best of our knowledge, it is the first ABAC policy mining algorithm. Our algorithm iterates over tuples in the given user-permission relation, uses selected tuples as seeds for constructing candidate rules, and attempts to generalize each candidate rule to cover additional tuples in the user-permission relation by replacing conjuncts in attribute expressions with constraints. Our algorithm attempts to improve the policy by merging and simplifying candidate rules, and then it selects the highest-quality candidate rules for inclusion in the generated policy.

Cryptography and Security

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ICNDS.2009.94

2009-01-01

Abstract:Access control is always essential for safe and security access to the system resource. Role based access control (RBAC) model is widely used in large enterprise software systems. The quality of the RBAC policy design especially role definition has great impact on the system security policy implementation. In this paper we propose a novel role engineering methods with security KAOS (SKAOS), which guide the engineering process via keeping decomposing the functional requirement objective and combining the system security requirement. SKAOS not only simplifies the system userpsilas involvement in the role engineering process via supplying with the objective decomposition but also reduces the complexity of the operation analysis. After building the objective decomposition and activity analysis diagrams, the role definition can be delivered. We illustrate the effectiveness of our method via analyzing a real world requirement problem.

Damien Busatto-Gaston,Debraj Chakraborty,Anirban Majumdar,Sayan Mukherjee,Guillermo A. Pérez,Jean-François Raskin

2023-08-16

Abstract:We consider lexicographic bi-objective problems on Markov Decision Processes (MDPs), where we optimize one objective while guaranteeing optimality of another. We propose a two-stage technique for solving such problems when the objectives are related (in a way that we formalize). We instantiate our technique for two natural pairs of objectives: minimizing the (conditional) expected number of steps to a target while guaranteeing the optimal probability of reaching it; and maximizing the (conditional) expected average reward while guaranteeing an optimal probability of staying safe (w.r.t. some safe set of states). For the first combination of objectives, which covers the classical frozen lake environment from reinforcement learning, we also report on experiments performed using a prototype implementation of our algorithm and compare it with what can be obtained from state-of-the-art probabilistic model checkers solving optimal reachability.

Computer Science and Game Theory

Xianghua Zeng,Hao Peng,Angsheng Li

2023-04-03

Abstract:Role-based learning is a promising approach to improving the performance of Multi-Agent Reinforcement Learning (MARL). Nevertheless, without manual assistance, current role-based methods cannot guarantee stably discovering a set of roles to effectively decompose a complex task, as they assume either a predefined role structure or practical experience for selecting hyperparameters. In this article, we propose a mathematical Structural Information principles-based Role Discovery method, namely SIRD, and then present a SIRD optimizing MARL framework, namely SR-MARL, for multi-agent collaboration. The SIRD transforms role discovery into a hierarchical action space clustering. Specifically, the SIRD consists of structuralization, sparsification, and optimization modules, where an optimal encoding tree is generated to perform abstracting to discover roles. The SIRD is agnostic to specific MARL algorithms and flexibly integrated with various value function factorization approaches. Empirical evaluations on the StarCraft II micromanagement benchmark demonstrate that, compared with state-of-the-art MARL algorithms, the SR-MARL framework improves the average test win rate by 0.17%, 6.08%, and 3.24%, and reduces the deviation by 16.67%, 30.80%, and 66.30%, under easy, hard, and super hard scenarios.

Artificial Intelligence

周鑫,潘理

DOI: https://doi.org/10.3969/j.issn.1009-8054.2012.05.049

2012-01-01

Abstract:For RBAC-based multi-domain systems, a reliable static role mapping mechanism that integrates multidomain policies without any constraint conflict is presented. By introduction of the equivalent permission concept, the goal of policy integration is defined, and the hybrid hierarchy is supported in this integration mechanism. The principle of non-rising permission and the role mapping attributes are proposed in order to achieve fine granulation and secure global policies. Due to the low algorithm complexity, this algorithm could be easily applied in practical scenarios.

Dana Zhang,Kotagiri Ramamohanarao,Rui Zhang,Steven Versteeg

2014-01-01

Abstract:Role engineering is the process of defining a set of roles that offer administrative benefit for Role Based Access Control (RBAC), which ensures data privacy. It is a business critical task that is required by enterprises wishing to migrate to RBAC. However, existing methods of role generation have not analysed what constitutes a beneficial role and as a result, often produce inadequate solutions in a time consuming manner. To address the urgent issue of identifying high quality RBAC structures in real enterprise environments, we present a cost based analysis of the problem for both flat and hierarchical RBAC structures. Specifically we propose two cost models to evaluate the administration cost of roles and provide a k - partite graph approach to role engineering. Existing role cost evaulations are approximations that overestimate the benefit of a role. Our method and cost models can provide exact role cost and show when existing role cost evaluations can be used as a lower bound to improve efficiency without effecting quality of results. In the first work to address role engineering using large scale real data sets, we propose RoleAnnealing, a fast solution space search algorithm with incremental computation and guided search space heuristics. Our experimental results on both real and synthetic data sets demonstrate that high quality RBAC configurations that maintain data privacy are identified efficiently by RoleAnnealing. Comparison with an existing approach shows RoleAnnealing is significantly faster and produces RBAC configurations with lower cost.

Viktor Kuncak,Patrick Lam,Martin Rinard

DOI: https://doi.org/10.48550/arXiv.cs/0408013

2004-08-05

Programming Languages

Abstract:We present a new role system for specifying changing referencing relationships of heap objects. The role of an object depends, in large part, on its aliasing relationships with other objects, with the role of each object changing as its aliasing relationships change. Roles therefore capture important object and data structure properties and provide useful information about how the actions of the program interact with these properties. Our role system enables the programmer to specify the legal aliasing relationships that define the set of roles that objects may play, the roles of procedure parameters and object fields, and the role changes that procedures perform while manipulating objects. We present an interprocedural, compositional, and context-sensitive role analysis algorithm that verifies that a program respects the role constraints.