Carlo Blundo,Stelvio Cimato

DOI: https://doi.org/10.48550/arXiv.1203.3744

2012-03-16

Abstract:Role Based Access Control (RBAC) is a very popular access control model, for long time investigated and widely deployed in the security architecture of different enterprises. To implement RBAC, roles have to be firstly identified within the considered organization. Usually the process of (automatically) defining the roles in a bottom up way, starting from the permissions assigned to each user, is called {\it role mining}. In literature, the role mining problem has been formally analyzed and several techniques have been proposed in order to obtain a set of valid roles. Recently, the problem of defining different kind of constraints on the number and the size of the roles included in the resulting role set has been addressed. In this paper we provide a formal definition of the role mining problem under the cardinality constraint, i.e. restricting the maximum number of permissions that can be included in a role. We discuss formally the computational complexity of the problem and propose a novel heuristic. Furthermore we present experimental results obtained after the application of the proposed heuristic on both real and synthetic datasets, and compare the resulting performance to previous proposals

Cryptography and Security

Chao Huang,Jian-ling Sun,Xin-yu Wang,Yuan-jie Si

DOI: https://doi.org/10.1631/jzus.c0910186

2010-01-01

Journal of Zhejiang University SCIENCE C

Abstract:Web service composition is a low cost and efficient way to leverage the existing resource and implementation. In current Web service composition implementations, the issue of how to define the role for a new composite Web service has been little addressed. Adjusting the access control policy for a new composite Web service always causes substantial administration overhead from the security administrator. Furthermore, the distributed nature of Web service based applications makes traditional role mining methods obsolete. In this paper, we analyze the minimal role mining problem for Web service composition, and prove that this problem is NP-complete. We propose a sub-optimal greedy algorithm based on the analysis of necessary role mapping for interoperation across multiple domains. Simulation shows the effectiveness of our algorithm, and compared to the existing methods, our algorithm has significant performance advantages. We also demonstrate the practical application of our method in a real agent based Web service system. The results show that our method could find the minimal role mapping efficiently.

Jason Crampton,Eduard Eiben,Gregory Gutin,Daniel Karapetyan,Diptapriyo Majumdar

2024-03-25

Abstract:Role mining is a technique used to derive a role-based authorization policy from an existing policy. Given a set of users $U$, a set of permissions $P$ and a user-permission authorization relation $\mahtit{UPA}\subseteq U\times P$, a role mining algorithm seeks to compute a set of roles $R$, a user-role authorization relation $\mathit{UA}\subseteq U\times R$ and a permission-role authorization relation $\mathit{PA}\subseteq R\times P$, such that the composition of $\mathit{UA}$ and $\mathit{PA}$ is close (in some appropriate sense) to $\mathit{UPA}$.

Computational Complexity,Artificial Intelligence

Hejiao Huang,Feng Shang,Jinling Liu,Hongwei Du

DOI: https://doi.org/10.1007/s10878-013-9633-9

2013-01-01

Journal of Combinatorial Optimization

Abstract:For a given role-based access control (RBAC) configuration, user-role assignment satisfying least privilege principle (specified as LPUAP) is one of the most important problems to be solved in information security. LPUAP has been proved to be NP-hard. This paper gives several efficient greedy algorithms for handling this problem. Experiment results show that the output of our algorithms is almost optimal while the running time is greatly reduced. In another case where a RBAC configuration is to be set up, minimizing the descriptive set of roles (specified as Basic-RMP) and minimizing the administrative assignments for roles (specified as Edge-RMP) can greatly decrease the management costs. Both role mining problems (i.e., Basic-RMP and Edge-RMP) have also been proved to be NP-hard. This paper converts Basic-RMP to set cover problem and Edge-RMP to weighted set cover problem, and two algorithms respectively named \(GA_{Basic}\) algorithm for Basic-RMP and \(GA_{Edge}\) algorithm for Edge-RMP, are designed. Experiment results show that the average similarity rate between role sets produced by \(GA_{Basic}\) algorithm and the original ones used in generating the dataset is above 90 %. However, in the process of converting role mining into Set Cover Problem, the number of candidate role set is very large. In order to reduce the complexity of the \(GA_{Basic}\) algorithm, this paper presents a new polynomial-time algorithm with a performance nearly the same as that of \(GA_{Basic}\) algorithm.

Mario Frank,Joachim M. Buhmann,David Basin

DOI: https://doi.org/10.48550/arXiv.1212.4775

2013-01-05

Abstract:Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this paper, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix. Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models' generalization abilities depend on the dataset given.

Cryptography and Security,Machine Learning

Ian Molloy,Ninghui Li,Jorge Lobo,Yuan Qi,Luke Dickens

2010-01-01

Abstract:There has been increasing interest in automatic techniques for generating roles for role-based access control, a process known as role mining. Most role mining approaches assume the input data is clean, and attempt to optimize the RBAC state. We examine role mining with noisy input data and suggest dividing the problem into two steps: noise removal and candidate role generation. We introduce an approach to use (non-binary) rank reduced matrix factorization to identify noise and experimentally show that it is effective at identifying noise in access control data. User- and permission-attributes can further be used to improve accuracy. Next, we show that our two-step approach is able to find candidate roles that are close to the roles mined from noise-less data. This method performs better than the approach of mining noisy data directly and offering the administrator increased control in the noise removal and candidate role generation phases. We note that our approach is applicable outside role engineering and may be used to identify errors or predict missing values in any access control matrix.

Jiujian Chen,Kai Wang,Ronghua Li,Hongchao Qin,Xuemin Lin,Guoren Wang

DOI: https://doi.org/10.1109/icde60146.2024.00200

2024-01-01

Abstract:Bipartite graphs are commonly used to model relationships between two distinct types of entities, such as customer-product relationships in e-commerce platforms and protein-protein interactions in bioinformatics. Enumerating all maximal bicliques from a bipartite graph is a fundamental graph mining problem that has been widely used in many real-world applications including community search and spam detection. Existing algorithms for maximal biclique enumeration can struggle to scale to large graphs with a vast number of maximal bicliques. In this paper, we propose a novel and highly-efficient algorithm for maximal biclique enumeration in bipartite graphs using prefix trees. Specifically, a prefix tree is a data structure that stores lists of elements as paths in the tree, and we observe that a maximal biclique can be represented uniquely by the vertices in one of its vertex layers and stored compactly in prefix trees. The process of our algorithm is divided into two steps. First, we find the lower layer vertices of all maximal bicliques and organize them in a prefix tree (i.e., the result tree). During this step, we transform the original time-consuming operations of checking maximality and filtering candidates for vertex sets into determining uniqueness and performing extraction from a prefix tree at each level of the recursion. Second, we use the result tree to obtain the upper layer vertices of the maximal bicliques by computing the common neighbors of vertices in the tree. In this step, we further optimize the computation for intersections of vertex sets by compressing the neighbors of each vertex and memoization. In addition, we also propose a pre-processing method based on the order of traversal on the prefix tree to reduce memory usage. We conduct extensive experiments on 10 real-world datasets, and the results demonstrate that the proposed algorithm outperforms existing solutions by up to one order of magnitude.

Scott D. Stoller,Thang Bui

DOI: https://doi.org/10.48550/arXiv.1603.02640

2017-10-16

Abstract:Temporal role-based access control (TRBAC) extends role-based access control to limit the times at which roles are enabled. This paper presents a new algorithm for mining high-quality TRBAC policies from timed ACLs (i.e., ACLs with time limits in the entries) and optionally user attribute information. Such algorithms have potential to significantly reduce the cost of migration from timed ACLs to TRBAC. The algorithm is parameterized by the policy quality metric. We consider multiple quality metrics, including number of roles, weighted structural complexity (a generalization of policy size), and (when user attribute information is available) interpretability, i.e., how well role membership can be characterized in terms of user attributes. Ours is the first TRBAC policy mining algorithm that produces hierarchical policies, and the first that optimizes weighted structural complexity or interpretability. In experiments with datasets based on real-world ACL policies, our algorithm is more effective than previous algorithms at optimizing policy quality.

Cryptography and Security

Jianhua Wang,Jianye Yang,Zhaoquan Gu,Dian Ouyang,Zhihong Tian,Xuemin Lin

DOI: https://doi.org/10.1109/tkde.2024.3373654

IF: 9.235

2024-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:In this paper, we study the problem of maximal biclique enumeration on large signed bipartite graphs. Given a signed bipartite graph $G=(U,V,E,s)$, a parameter $\theta \in [0.5, 1.0]$, our goal is to efficiently enumerate all maximal $\theta$-bicliques in $G$, where a maximal $\theta$-biclique $B(L,R)$ is a complete subgraph of $G$ with (1) the proportion of positive neighbors for each vertex in $B$ is at least $\theta$, and (2) $B$ is not contained in another biclique $B^{\prime }$, while $B^{\prime }$ also satisfies (1). This problem has many applications, such as biclustering for genes, recommendation of similar groups, collaboration in communities, etc. However, it is computationally challenging due to its #P-completeness. Besides, we prove that even determining the maximality of a $\theta$-biclique is NP-hard. To the best of our knowledge, there is no efficient and scalable solution to this problem in the literature. In this paper, we first propose a branch-and-bound framework, namely ${\sf MSiBE}$, which enumerates all maximal $\theta$-bicliques in a depth-first manner. Then, we develop three effective optimizations to improve the performance of ${\sf MSiBE}$. (1) The local information of each search space is utilized to enhance the pruning capacity. (2) When expanding the partial biclique, we always focus on the side with fewer candidates first, by which fruitless search branches can be skipped early. (3) We implement ${\sf MSiBE}$ with efficient array reordering techniques and set intersection strategy. To further accelerate the computation, we introduce useful graph reduction techniques. Comprehensive performance studies on 10 real datasets demonstrate that our proposals can significantly outperform the baseline methods by up to 3 orders of magnitude.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Alessandro Colantonio,Roberto Di Pietro,Alberto Ocello

DOI: https://doi.org/10.1145/1363686.1364198

2008-01-01

Abstract:In recent years role-based access control (RBAC) has been spreading within organizations. However, companies still have considerable difficulty migrating to this model, due to the complexity involved in identifying a set of roles fitting the real needs of the company. All the various role engineering methods proposed thus far lack a metric for measuring the "quality" of candidate roles produced. This paper proposes a new approach guided by a cost-based metric, where "cost" represents the effort to administer the resulting RBAC. Further, we propose REAM (Role-Based Association-rule Mining), an algorithm leveraging the cost metric to find candidate role-sets with the lowest possible administration cost. For a specific parameter set, RBAM behaves as already existing role mining algorithms and is, worst case, NP-complete. Yet, we will provide several examples showing the sensibility of assumptions made by the algorithm. Further, application of the algorithm to real data will highlight the improvements over current solutions. Finally, we comment on the direction of future research.

Arko Provo Mukherjee,Srikanta Tirthapura

DOI: https://doi.org/10.48550/arXiv.1404.4910

2014-04-19

Abstract:We consider the enumeration of maximal bipartite cliques (bicliques) from a large graph, a task central to many practical data mining problems in social network analysis and bioinformatics. We present novel parallel algorithms for the MapReduce platform, and an experimental evaluation using Hadoop MapReduce. Our algorithm is based on clustering the input graph into smaller sized subgraphs, followed by processing different subgraphs in parallel. Our algorithm uses two ideas that enable it to scale to large graphs: (1) the redundancy in work between different subgraph explorations is minimized through a careful pruning of the search space, and (2) the load on different reducers is balanced through the use of an appropriate total order among the vertices. Our evaluation shows that the algorithm scales to large graphs with millions of edges and tens of mil- lions of maximal bicliques. To our knowledge, this is the first work on maximal biclique enumeration for graphs of this scale.

Distributed, Parallel, and Cluster Computing

Dana Zhang,Kotagiri Ramamohanarao,Steven Versteeg,Rui Zhang

DOI: https://doi.org/10.1145/1852666.1852694

2010-01-01

Abstract:Role Engineering for Role Based Access Control (RBAC) has emerged as a challenging area of research, both in industry and academia. The problem originates from the practical need to create a set of roles that accurately reflects the internal functionalities of an enterprise. Existing approaches that have used data mining techniques for this problem often generate too many candidate roles and do not consider the effect of a given combination of roles on the overall configuration. Identification of an ideal RBAC solution is only possible with a clear and concise evaluation of the RBAC configuration goals. To address this issue, we discuss use of the graph model for the Role Engineering problem and show how effective this approach is in the search for a role engineering solution. We evaluate and formalise the problem of identifying the minimum number of descriptive roles for RBAC using a graph model and propose how its variations can be represented. Finally, we introduce novel strategies using the proposed models for future innovation and perform experimentation on both real and synthetically generated data.

Renjie Sun,Yanping Wu,Chen,Xiaoyang Wang,Wenjie Zhang,Xuemin Lin

DOI: https://doi.org/10.1109/icde53745.2022.00187

2022-01-01

Abstract:Maximal biclique enumeration is a fundamental problem in bipartite graph analysis, and can find numerous applications. However, previous studies only focus on unsigned bipartite graphs. Signed information, such as friend and enemy, naturally exists in real-world networks. It is critical to leverage signed information to better characterize biclique. To fill this gap, in this paper, we propose a novel biclique model, named balanced signed biclique, by leveraging the property of balance theory. Specifically, given a signed bipartite graph $G$ , two positive integers $\tau_{U}, \tau_{V}$ , a subgraph $S=(U_{S},\ V_{S},\ E_{S})$ of $G$ is a balanced signed biclique if $i$ ) $S$ is a biclique without any unstable motif, i.e., unbalanced butterfly, and ii) $\vert U_{S}\vert \geq\tau_{U}$ and $\vert V_{S}\vert \geq\tau_{V}$ . In this paper, we aim to enumerate all the maximal balanced signed bicliques, which is proved to be NP-hard. Moreover, due to the unique features of signed bipartite graphs, the previous works cannot be applied to our problem directly. To construct a reasonable baseline, we extend the existing biclique enumeration framework for unsigned bipartite graphs and integrate the developed balanced bipartite graph property. To scale for larger networks, novel optimized strategies are proposed to overcome the three limitations in the baseline method. Extensive experi-ments are conducted on 8 real-world datasets to demonstrate the efficiency and effectiveness of proposed techniques and model. Compared with the baseline approach, the optimized algorithm can achieve up to 3 orders of magnitude speedup.

Bingqing Lyu,Lu Qin,Xuemin Lin,Ying Zhang,Zhengping Qian,Jingren Zhou

DOI: https://doi.org/10.1007/s00778-021-00681-6

2022-01-01

Abstract:Maximum biclique search, which finds the biclique with the maximum number of edges in a bipartite graph, is a fundamental problem with a wide spectrum of applications in different domains, such as E-Commerce, social analysis, web services, and bioinformatics. Unfortunately, due to the difficulty of the problem in graph theory, no practical solution has been proposed to solve the issue in large-scale real-world datasets. Existing techniques for maximum clique search on a general graph cannot be applied because the search objective of maximum biclique search is two-dimensional, i.e., we have to consider the size of both parts of the biclique simultaneously. In this paper, we divide the problem into several subproblems each of which is specified using two parameters. These subproblems are derived in a progressive manner, and in each subproblem, we can restrict the search in a very small part of the original bipartite graph. We prove that a logarithmic number of subproblems is enough to guarantee the algorithm correctness. To minimize the computational cost, we show how to reduce significantly the bipartite graph size for each subproblem while preserving the maximum biclique satisfying certain constraints by exploring the properties of one-hop and two-hop neighbors for each vertex. Furthermore, we study the diversified top-k biclique search problem which aims to find k maximal bicliques that cover the most edges in total. The basic idea is to repeatedly find the maximum biclique in the bipartite graph and remove it from the bipartite graph k times. We design an efficient algorithm that considers to share the computation cost among the k results, based on the idea of deriving the same subproblems of different results. We further propose two optimizations to accelerate the computation by pruning the search space with size constraint and refining the candidates in a lazy manner. We use several real datasets from various application domains, one of which contains over 300 million vertices and 1.3 billion edges, to demonstrate the high efficiency and scalability of our proposed solution. It is reported that 50% improvement on recall can be achieved after applying our method in Alibaba Group to identify the fraudulent transactions in their e-commerce networks. This further demonstrates the usefulness of our techniques in practice.

Chao Huang,Jianling Sun,Xinyu Wang,Di Wu

DOI: https://doi.org/10.1587/transinf.e93.d.1070

2010-01-01

IEICE Transactions on Information and Systems

Abstract:In this paper, we propose an inconsistency resolution method based on a new concept, insecure backtracking role,napping. By analyzing the role graph, we prove that the root cause of security inconsistency in distributed interoperation is the existence of insecure backtracking role mapping. We propose a novel and efficient algorithm to detect the inconsistency via finding all of the insecure backtracking role mappings. Our detection algorithm will not only report the existence of inconsistency, but also generate the inconsistency information for the resolution. We reduce the inconsistency resolution problem to the known Minimum-Cut problem, and based on the results generated by our detection algorithm we propose an inconsistency resolution algorithm which could guarantee the security of distributed interoperation. We demonstrate the effectiveness of our approach through simulated tests and a case study.

Xinyi Zhang,Weili Han,Zheran Fang,Yuliang Yin,Hossen A. Mustafa

DOI: https://doi.org/10.1145/2484417.2484423

2013-01-01

Abstract:Role mining is a very useful engineering method to help administrators set up the mechanism of role based access control for information systems, but not applied in the Android security framework so far. This paper uses large volume Android applications from the Android Market (Google Play Store now), which include 44,971 applications (subjects), 125 permissions, and 222,734 application-permission assignments (application, permission), to evaluate the effectiveness of five popular role mining algorithms: HM, HPr, HPe, GO, and ORCA. Furthermore, according to the features of Android applications, we propose Mine-Tag, an algorithm that generates tags based on the descriptions of Android applications. These tags can be attached to each mined role to help administrators manage the roles. We set up experiments, evaluate algorithms, and discuss the insights of mining methods in Android applications.

Alexis Baudin,Clémence Magnien,Lionel Tabourier

2024-05-24

Abstract:Bipartite graphs are a prevalent modeling tool for real-world networks, capturing interactions between vertices of two different types. Within this framework, bicliques emerge as crucial structures when studying dense subgraphs: they are sets of vertices such that all vertices of the first type interact with all vertices of the second type. Therefore, they allow identifying groups of closely related vertices of the network, such as individuals with similar interests or webpages with similar contents. This article introduces a new algorithm designed for the exhaustive enumeration of maximal bicliques within a bipartite graph. This algorithm, called BBK for Bipartite Bron-Kerbosch, is a new extension to the bipartite case of the Bron-Kerbosch algorithm, which enumerates the maximal cliques in standard (non-bipartite) graphs. It is faster than the state-of-the-art algorithms and allows the enumeration on massive bipartite graphs that are not manageable with existing implementations. We analyze it theoretically to establish two complexity formulas: one as a function of the input and one as a function of the output characteristics of the algorithm. We also provide an open-access implementation of BBK in C++, which we use to experiment and validate its efficiency on massive real-world datasets and show that its execution time is shorter in practice than state-of-the art algorithms. These experiments also show that the order in which the vertices are processed, as well as the choice of one of the two types of vertices on which to initiate the enumeration have an impact on the computation time.

Data Structures and Algorithms,Computational Complexity,Information Retrieval,Social and Information Networks

Ziqi Yin,Qi Zhang,Wentao Zhang,Rong-Hua Li,Guoren Wang

DOI: https://doi.org/10.1109/icde55515.2023.00131

2023-01-01

Abstract:Maximal biclique enumeration is a fundamental problem in bipartite graph data analysis. Existing biclique enumeration methods mainly focus on non-attributed bipartite graphs and also ignore the fairness of graph attributes. In this paper, we introduce the concept of fairness into the biclique model for the first time and study the problem of fairness-aware biclique enumeration. Specifically, we propose two fairness-aware biclique models, called single-side fair biclique and bi-side fair biclique respectively. To efficiently enumerate all single-side fair bicliques, we first present two non-trivial pruning techniques, called fair α-β core pruning and colorful fair α-β core pruning, to reduce the graph size without losing accuracy. Then, we develop a branch and bound algorithm, called FairBCEM, to enumerate all single-side fair bicliques on the reduced bipartite graph. To further improve the efficiency, we propose an efficient branch and bound algorithm with a carefully-designed combinatorial enumeration technique. Note that all of our techniques can also be extended to enumerate all bi-side fair bicliques. We also extend the two fairness-aware biclique models by constraining the ratio of the number of vertices of each attribute to the total number of vertices and present corresponding enumeration algorithms. Extensive experimental results on five large real-world datasets demonstrate our methods’ efficiency, effectiveness, and scalability.

Bingqing Lyu,Lu Qin,Xuemin Lin,Ying Zhang,Zhengping Qian,Jingren Zhou

DOI: https://doi.org/10.14778/3397230.3397234

IF: 2.5

2020-01-01

Proceedings of the VLDB Endowment

Abstract:Maximum biclique search, which finds the biclique with the maximum number of edges in a bipartite graph, is a fundamental problem with a wide spectrum of applications in different domains, such as E-Commerce, social analysis, web services, and bioinformatics. Unfortunately, due to the difficulty of the problem in graph theory, no practical solution has been proposed to solve the issue in large-scale real-world datasets. Existing techniques for maximum clique search on a general graph cannot be applied because the search objective of maximum biclique search is two-dimensional, i.e., we have to consider the size of both parts of the biclique simultaneously. In this paper, we divide the problem into several subproblems each of which is specified using two parameters. These subproblems are derived in a progressive manner, and in each subproblem we can restrict the search in a very small part of the original bipartite graph. We prove that a logarithmic number of subproblems is enough to guarantee the algorithm correctness. To minimize the computational cost, we show how to reduce significantly the bipartite graph size for each subproblem while preserving the maximum biclique satisfying certain constraints by exploring the properties of one-hop and two-hop neighbors for each vertex. We use several real datasets from various application domains, one of which contains over 300 million vertices and 1.3 billion edges, to demonstrate the high efficiency and scalability of our proposed solution. It is reported that 50% improvement on recall can be achieved after applying our method in Alibaba Group to identify the fraudulent transactions in their e-commerce networks. This further demonstrates the usefulness of our techniques in practice.

Zhe Pan,Xu Li,Shuibing He,Xuechen Zhang,Rui Wang,Yunjun Gao,Gang Chen,Xian-He Sun

DOI: https://doi.org/10.1109/tc.2024.3441864

IF: 3.183

2024-01-01

IEEE Transactions on Computers

Abstract:Maximal biclique enumeration (MBE) in bipartite graphs is a fundamental problem in data mining with widespread applications. Many recent works solve this problem based on the set-enumeration (SE) tree, which sequentially traverses vertices to generate the enumeration tree nodes representing distinct bicliques, then checks whether these bicliques are maximal or not. However, existing MBE algorithms only expand bicliques with untraversed vertices to ensure distinction, which often necessitate extensive node checks to eliminate non-maximal bicliques, resulting in significant computational overhead during the enumeration process. To address this issue, we propose an aggressive set-enumeration (ASE) tree that aggressively expands all bicliques to their maximal form, thus avoiding costly node checks on non-maximal bicliques. This aggressive enumeration may produce multiple duplicate maximal bicliques, but we efficiently eliminate these duplicates by lever-aging the connection between parent and child nodes and conducting low-cost node checking. Additionally, we introduce an aggressive merge-based pruning (AMP) approach that aggressively merges vertices sharing the same local neighbors. This helps prune numerous duplicate node generations caused by subsets of merged vertices. We integrate the AMP approach into the ASE tree, and present the Aggressive Maximal Biclique Enumeration Algorithm (AMBEA). Experimental results show that AMBEA is 1.15× to 5.32× faster than its closest competitor and exhibits better scalability and parallelization capabilities on larger bipartite graphs.