Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

Siyuan Shang,Xiaohan Wang,Aodi Liu

DOI: https://doi.org/10.1016/j.cose.2024.103717

IF: 5.105

2024-01-25

Computers & Security

Abstract:With the rapid development of information technology, the traditional access control model has faced challenges in meeting the demands of practical applications. As a result, the ABAC model has emerged as a more flexible and adaptable solution, gaining popularity among enterprises. However, constructing an ABAC policy set for heterogeneous access control systems (DAC, MAC, RBAC and other non-ABAC systems) has proven to be complex and time-consuming. In this paper, we propose an ABAC policy mining method based on a clustering algorithm , aiming to extract ABAC policies from access control logs and facilitate the heterogeneous policy migration. Regardless of the access control model used by the original system, its security intent can be reflected by the access control logs. Our method segments and encodes log information using a decision tree, generating a matrix representation that characterizes the logs. Hierarchical clustering is then employed to group similar logs into clusters and extract attribute relationships, thus constructing the ABAC policy set. Additionally, policy optimization techniques such as policy pruning, refinement, and analysis are applied to enhance the policy set. Experimental results demonstrate the effectiveness of our method, achieving 5.7 % F−score improvement and 41.4 % WSC decrease compared to the comparison method. Moreover, when applied to noisy and sparse logs, our method achieves 12.5 % F−score improvement while reducing the WSC by 29.4 %.

computer science, information systems

ZHOU Jiagen,YE Chunxiao,LUO Juan

DOI: https://doi.org/10.3778/j.issn.1002-8331.1109-0593

2013-01-01

Abstract:To solve the semantic presentation and enforcement problems of ABAC policies in the open system environment, a method using ontology to define policies is proposed. This method is defined on the basis of a map from ABAC policy model to description logic definitions. Also, it uses SWRL rules to define relations in the system. Based on the policy ontology, a frame-work utilizing close world reasoning and individual realization reasoning service to generate decisions of access request is pro-posed. The correctness of policy enforcement method is proved through its soundness and completeness, and an experiment is showed to verify the feasibility of these methods in a real application.

Yinyan Zhao,Mang Su,Jie Wan,Jinpeng Hou,Dong Mei

DOI: https://doi.org/10.1109/ithings-greencom-cpscom-smartdata-cybermatics50389.2020.00079

2020-01-01

Abstract:The ever-increasing demand for data exchanges has boosted the development of the Internet of Things (IoT). IoT has brought a new revolution to a variety of industries by integrating smart devices as well as information and communication technologies into traditional systems. However, due to the dynamic and heterogeneous structure of IoT, unauthorized access and data leakage may be much easier. Attribute-based access control (ABAC) is suitable for complex and changeable access control environments due to its flexibility and universality in capturing authorizations in terms of the attributes of users and resources. However, the dynamic nature of IoT bring new challenges to access control. On the one hand, new services and applications continue to be deployed, administrators need to formulate new policies for those services and applications. Therefore, manual development of ABAC polices in IoT environment is time consuming and expensive. On the other hand, because the access environment is constantly changing, access control policies may become unsuitable for current environment. Manual identification of these low-quality rules is often after they cause severe consequences. To address the above two problems, we propose a scheme for generating and evaluating polices in IoT based on machine learning. This scheme referred to as PGEML, contains two module, policy generalization (PG) and policy evaluation (PE). In the PG module, we define a novel measure, resource similarity, and integrate it into policy mining so that policies could generalize among related resources. In the PE module, we introduce a quantitative method to assess rules and prune rules of low-quality. We conduct our experiments on a real-world enterprise access logs from Amazon. The experimental results has qualitatively and quantitatively showed the effectiveness of our proposed scheme.

Thang Bui,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.2008.08444

2020-11-24

Abstract:Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.

Cryptography and Security,Artificial Intelligence

John Slankas,Xusheng Xiao,Laurie A. Williams,Tao Xie

DOI: https://doi.org/10.1145/2664243.2664280

2014-01-01

Abstract:With over forty years of use and refinement, access control, often in the form of access control rules (ACRs), continues to be a significant control mechanism for information security. However, ACRs are typically either buried within existing natural language (NL) artifacts or elicited from subject matter experts. To address the first situation, our research goal is to aid developers who implement ACRs by inferring ACRs from NL artifacts . To aid in rule inference, we propose an approach that extracts relations (i.e., the relationship among two or more items) from NL artifacts such as requirements documents. Unlike existing approaches, our approach combines techniques from information extraction and machine learning. We develop an iterative algorithm to discover patterns that represent ACRs in sentences. We seed this algorithm with frequently occurring nouns matching a subject--action--resource pattern throughout a document. The algorithm then searches for additional combinations of those nouns to discover additional patterns. We evaluate our approach on documents from three systems in three domains: conference management, education, and healthcare. Our evaluation results show that ACRs exist in 47% of the sentences, and our approach effectively identifies those ACR sentences with a precision of 81% and recall of 65%; our approach extracts ACRs from those identified ACR sentences with an average precision of 76% and an average recall of 49%.

Gang Liu,Wenxian Pei,Yumin Tian,Chen Liu,Shancang Li

DOI: https://doi.org/10.1016/j.jii.2021.100200

IF: 11.718

2021-01-01

Journal of Industrial Information Integration

Abstract:Attributed-based access control (ABAC) is widely used in systems with large resources and users such as the Industrial Internet of Things (IIoT), Industrial information integration system, and so on. Attribute-based security policy is highly flexible and expressive, but conflicts between policies occur frequently, affecting the security and availability of the system. Based on analyzing the ABAC security policies represented by the eXtensible Access Control Markup Language (XACML), this study proposes a formal definition of explicit conflicting rules, probable-conflicting rules, and never-conflicting rules. Also, we found that conflicts occur on a pair of rules in which attribute expressions have overlapping values and that be applied to the same request. A new conflict detection method is proposed in which implicit conflicting rules are converted to explicit conflicting rules by completing the absent attribute expressions and then compare all the rules in pairs to detect all the probable conflicting rules in a rule set. In this way, we can analyze the conflicting probability of each pair of policy rules. Furthermore, we define two metrics to evaluate the conflict level of a rule set. Experiment results show that implicit conflicting rules are more numerous than explicit conflicting rules in the policy set. Also, with an increase in the number of attribute expressions in each rule, the conflicting level of a rule set is significantly reduced, which provides a reference for policymaking. With this method, administrators can formulate more robust and efficient security policies, improve the security and availability of systems.

Hu Luokai,Ying Shi,Jia Xiangyang,Zhao Kai

DOI: https://doi.org/10.6138/jit.2010.11.2.14

2010-01-01

Abstract:With the development of cloud computing, the mutual understandability among distributed Access Control Policies (ACPs) and attribute of entities has become an important issue in the security field of open distributed environment. Semantic Web technology provides the solution to semantic interoperability of heterogeneous applications. In this paper, we analysis existing access control approaches and present a new Semantics Based Cross Domain Access Control Approach with Semantic Access Control Policy Language (SACPL) for describing ACPs. Semantic access control architecture is designed to embed SACPL language and Access Control Oriented Ontology System (ACOOS) into the access control process. Using the approach presented, access control across different domains can be effectively solved through the description and management of semantic attribute. This study enriches the research that the semantic web technology is applied in the field of security, and provides a new way of thinking of access control in cloud computing.

Yinyan Zhao,Mang Su,Jie Wan,Jinpeng Hou,Dong Mei

DOI: https://doi.org/10.1142/s0218126621501899

2021-01-01

Abstract:The rapid growth of communication networking, ubiquitous sensing, and signal processing, has promoted the development of the Internet of Things (IoT). However, the IoT is essentially dynamic and has no clearly defined network boundary, unauthorized access and data leakage may be much easier. Attribute-based access control (ABAC) can solve the problem of fine-grained access control and large-scale user dynamic expansion in complex information systems, and provides an ideal access control solution for an open network environment, which is more suitable for the dynamic access environment of IoT. However, the dynamic nature of IoT brings new challenges to access control. On the one hand, as new devices and services are continuously deployed, administrators need to manually formulate new rules, which is time-consuming and error-prone. On the other hand, as the IoT environment is continuously changing, the access policy easily becomes unsuitable for the current environment. In order to solve the above two problems, we propose a new scheme named Policy Maintenance-based machine learning (PMML), which includes two modules named Policy Generalization (PG) and Policy Evaluation (PE). After the access control model is deployed, automated PG and PE are carried out to maintain the rule set. In the PG module, we define a novel measure, resource similarity, and integrate it into policy mining so that policies could generalize among related resources. In the PE module, we introduce a quantitative method to assess rules and prune rules of low-quality. We conduct our experiments on real-world enterprise access logs from Amazon, and thoroughly analyzed the effects of different hyper-parameters on the experimental results. The experimental results have qualitatively and quantitatively shown the effectiveness of our proposed scheme.

Bo Lang,Nan Zhao,Kun Ge,Kai Chen

DOI: https://doi.org/10.1109/icpca.2008.4783596

2008-01-01

Abstract:Attribute Based Access Control (ABAC) is a promising access control model for pervasive computing. XACML is recognized as an effective ABAC policy description method that can exactly describe the semantics of a policy. However, the description of a XACML policy is complex and it is difficult for users to compose such a policy, which seriously embarrasses the application of XACML. Aiming at this problem, this paper presents an XACML policy generating method basing on a user-oriented ABAC policy view. On the basis of analyzing the XACML policy description language, the paper first establishes a policy description template composed of primary policy description elements of XACML, and then proposes an ABAC concept model called Access Control Cube (ACCube) and submits a comprehensible user-oriented policy view basing on the ACCube. The policy view and the XACML policy template provide an easy and effective way for users to define XACML policies. Users can describe their ABAC policies by creating the policy views, which can then be transformed into XACML policies. The transforming algorithm is given in the paper. According to the foregoing method, we develop a XACML policy generating tool named XACML Policy Builder. An example of using XACML Policy Builder for building XACML policy is also given.

Meiping Liu,Cheng Yang,Hao Li,Yana Zhang

DOI: https://doi.org/10.3390/s20061741

IF: 3.9

2020-01-01

Sensors

Abstract:Internet of Multimedia Things (IoMT) brings convenient and intelligent services while also bringing huge challenges to multimedia data security and privacy. Access control is used to protect the confidentiality and integrity of restricted resources. Attribute-Based Access Control (ABAC) implements fine-grained control of resources in an open heterogeneous IoMT environment. However, due to numerous users and policies in ABAC, access control policy evaluation is inefficient, which affects the quality of multimedia application services in the Internet of Things (IoT). This paper proposed an efficient policy retrieval method to improve the performance of access control policy evaluation in multimedia networks. First, retrieve policies that satisfy the request at the attribute level by computing based on the binary identifier. Then, at the attribute value level, the depth index was introduced to reconstruct the policy decision tree, thereby improving policy retrieval efficiency. This study carried out simulation experiments in terms of the different number of policies and different policy complexity situation. The results showed that the proposed method was three to five times more efficient in access control policy evaluation and had stronger scalability.

Zhongyuan Xu,Scott D. Stoller

DOI: https://doi.org/10.48550/arXiv.1306.2401

2014-08-08

Abstract:Attribute-based access control (ABAC) provides a high level of flexibility that promotes security and information sharing. ABAC policy mining algorithms have potential to significantly reduce the cost of migration to ABAC, by partially automating the development of an ABAC policy from an access control list (ACL) policy or role-based access control (RBAC) policy with accompanying attribute data. This paper presents an ABAC policy mining algorithm. To the best of our knowledge, it is the first ABAC policy mining algorithm. Our algorithm iterates over tuples in the given user-permission relation, uses selected tuples as seeds for constructing candidate rules, and attempts to generalize each candidate rule to cover additional tuples in the user-permission relation by replacing conjuncts in attribute expressions with constraints. Our algorithm attempts to improve the policy by merging and simplifying candidate rules, and then it selects the highest-quality candidate rules for inclusion in the generated policy.

Cryptography and Security

LAN Ze-Jun,GUAN Jian-Feng

2024-01-01

Abstract:Abstract： \justifying Attribute-Based Access Control (ABAC) has been chosen to replace the traditional access control model due to its dynamics, flexibility and scalability recently. However, during the migration and deployment process of ABAC policies, the key issue is how to mine an accurate and concise access control policy collection and quickly evaluate the policies when an access request arrives. Previous studies have typically taken the problems of policy mining and policy evaluation separately. Policy mining primarily focuses on the compactness of the policy itself, while policy evaluation concentrates on assessing the performance of policy matching. The lack of coordination between policy mining and policy evaluation results in that the concise strategy obtained through policy mining cannot maximize the performance of policy evaluation. To trick this issue, this paper proposed a decision tree based ABAC policy mining and policy evaluation (DTAME) scheme that addresses both issues concurrently by introducing an ABAC policy mining and evaluation method based on the decision tree algorithm. On the other hand, some hotspot policy rules are frequently accessed in some scenarios. Therefore, to maximize evaluation performance, this paper also optimizes the algorithm based on access control logs. Experimental results show that the DTAME can enhance the performance of policy evaluation while ensuring that the mined policies remain compact and effective.

Mark A. Kramer,Allen Leavens,Alexander Scarlat

2024-06-10

Abstract:Policy documents, such as legislation, regulations, and executive orders, are crucial in shaping society. However, their length and complexity make interpretation and application challenging and time-consuming. Artificial intelligence (AI), particularly large language models (LLMs), has the potential to automate the process of analyzing these documents, improving accuracy and efficiency. This study aims to evaluate the potential of AI in streamlining policy analysis and to identify the strengths and limitations of current AI approaches. The research focuses on question answering and tasks involving content extraction from policy documents. A case study was conducted using Executive Order 14110 on "Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence" as a test case. Four commercial AI systems were used to analyze the document and answer a set of representative policy questions. The performance of the AI systems was compared to manual analysis conducted by human experts. The study found that two AI systems, Gemini 1.5 Pro and Claude 3 Opus, demonstrated significant potential for supporting policy analysis, providing accurate and reliable information extraction from complex documents. They performed comparably to human analysts but with significantly higher efficiency. However, achieving reproducibility remains a challenge, necessitating further research and development.

Computation and Language,Artificial Intelligence,Information Retrieval

Mei-ping LIU,Cheng YANG,Ya-na ZHANG

DOI: https://doi.org/10.12783/dtcse/msam2020/34227

2020-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Electronic Medical Record (EMR) system based on the cloud has serious leaks of patient data and private information. Access control and privacy protection are considered to be the keys to ensuring the privacy of patients. Attribute-Based Access Control (ABAC) can realize fine-grained control of cloud medical data, but lacks the corresponding encryption mechanism. Moreover, as the scale of medical data grows, the number of entity attributes and policies required by ABAC is increasing, leading to performance degradation. Most of the existing research schemes focus on security but ignore efficiency, and the encryption scheme does not fit ABAC mechanism well. This paper proposed a retrieval method that enables attribute value, which filtered invalid policies, and improved Ciphertext-Policy Attribute-Based Encryption (CP-ABE), shared attribute set with ABAC to save attribute processing time, thus constructing a secure and efficient SE-ABAC solution in EMR system. Finally, through simulation experiment analysis, the optimizes solution is effective and more efficient than traditional ABAC.

Himanshu Pandey,Akhil Amod,Shivang

2024-07-06

Abstract:Prior Authorization delivers safe, appropriate, and cost-effective care that is medically justified with evidence-based guidelines. However, the process often requires labor-intensive manual comparisons between patient medical records and clinical guidelines, that is both repetitive and time-consuming. Recent developments in Large Language Models (LLMs) have shown potential in addressing complex medical NLP tasks with minimal supervision. This paper explores the application of Multi-Agent System (MAS) that utilize specialized LLM agents to automate Prior Authorization task by breaking them down into simpler and manageable sub-tasks. Our study systematically investigates the effects of various prompting strategies on these agents and benchmarks the performance of different LLMs. We demonstrate that GPT-4 achieves an accuracy of 86.2% in predicting checklist item-level judgments with evidence, and 95.6% in determining overall checklist judgment. Additionally, we explore how these agents can contribute to explainability of steps taken in the process, thereby enhancing trust and transparency in the system.

Artificial Intelligence,Multiagent Systems

Yang Xu,Wuqiang Gao,Quanrun Zeng,Guojun Wang,Ju Ren,Yaoxue Zhang

DOI: https://doi.org/10.1155/2018/6476315

IF: 1.968

2018-01-01

Security and Communication Networks

Abstract:Attribute-based access control (ABAC) is a maturing authorization technique with outstanding expressiveness and scalability, which shows its overwhelmingly competitive advantage, especially in complicated dynamic environments. Unfortunately, the absence of a flexible exceptional approval mechanism in ABAC impairs the resource usability and business time efficiency in current practice, which could limit its growth. In this paper, we propose a feasible fuzzy-extended ABAC (FBAC) technique to improve the flexibility in urgent exceptional authorizations and thereby improving the resource usability and business timeliness. We use the fuzzy assessment mechanism to evaluate the policy-matching degrees of the requests that do not comply with policies, so that the system can make special approval decisions accordingly to achieve unattended exceptional authorizations. We also designed an auxiliary credit mechanism accompanied by periodic credit adjustment auditing to regulate expediential authorizations for mitigating risks. Theoretical analyses and experimental evaluations show that the FBAC approach enhances resource immediacy and usability with controllable risk.

Zhu Yiqun,Li Jianhua,Zhang Quanhai

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.11.054

2008-01-01

Abstract:In accordance with the increasing customers and the various resource access policies in service-oriented environments,the limi- tation of the related research is anallyzed,and a multi-policy services-oriented attribute-based role-based access control(AB-RBAC) model is proposed.Based on the relationship between the resource attribute and the user attribute in multi-policies,different role groups are defined,and relevant rules are made.User-rde assignment is realized based on a finite set of rules,and the requirement of multiple access policies is satis- fied.The flexibility of access control is enhanced,and the efficiency of the system is improved.A case that uses the AB-RBAC model is de- scribed,and a detailed comparison among several models is made,which clearly shows the advantages of AB-RBAC.

Leila Karimi,Mai Abdelhakim,James Joshi

DOI: https://doi.org/10.48550/arXiv.2105.08587

IF: 5.414

2021-05-18

Machine Learning

Abstract:With rapid advances in computing systems, there is an increasing demand for more effective and efficient access control (AC) approaches. Recently, Attribute Based Access Control (ABAC) approaches have been shown to be promising in fulfilling the AC needs of such emerging complex computing environments. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with a higher cost. Further, increasing complexities of organizational systems and the need for federated accesses to their resources make the task of AC enforcement and management much more challenging. In this paper, we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interacting with users/administrators of the system to receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. We focus on developing an adaptive ABAC policy learning model for a home IoT environment as a running example. We evaluate our proposed approach over real and synthetic data. We consider both complete and sparse datasets in our evaluations. Our experimental results show that the proposed approach achieves performance that is comparable to ones based on supervised learning in many scenarios and even outperforms them in several situations.

Gang Liu,Hui-min Song,Run-nan Zhang,Can Wang,Quan Wang,Lu Fang

DOI: https://doi.org/10.12783/dtcse/aics2016/8254

2017-01-01

DEStech Transactions on Computer Science and Engineering

Abstract:Currently, resource sharing and system security are critical issues. This paper proposes a hierarchical system based access control model termed H-ABAC. It improves the attribute based access control(ABAC) model in reducing the management stress and addressing the problem of insufficient policy repository space. The following describes the H-ABAC model in terms of its self-administering mode, attribute definitions, policy formulation and authorization architecture, which demonstrate the advantages of H-ABAC. This supervisor mode not only reduces system administrator stress but also prevents all problems of a session in role-based access control (RBAC). Different definitions of the attributes in H-ABAC can be employed for different fields with different access control granularities, which enhances the flexibility of the model compared with traditional access control models. A scenario that illustrates how this new model is applied to the real world is provided.