A decision tree learning approach for mining relationship-based access control policies

Thang Bui; Scott D. Stoller

doi:10.1145/3381991.3395619

A decision tree learning approach for mining relationship-based access control policies

Thang Bui
, Scott D. Stoller

Computer Science

Stony Brook University

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

25 Scopus citations

Abstract

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents new algorithms, called DTRM (Decision Tree ReBAC Miner) and DTRM-, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. Compared to state-of-the-art ReBAC mining algorithms, our algorithms are significantly faster, achieve comparable policy quality, and can mine policies in a richer language.

Original language	English
Title of host publication	SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies
Publisher	Association for Computing Machinery
Pages	167-178
Number of pages	12
ISBN (Electronic)	9781450375689
DOIs	https://doi.org/10.1145/3381991.3395619
State	Published - Jun 10 2020
Event	25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020 - Barcelona, Spain Duration: Jun 10 2020 → Jun 12 2020

Publication series

Name	Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Conference

Conference	25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020
Country/Territory	Spain
City	Barcelona
Period	06/10/20 → 06/12/20

Keywords

Attribute-based access control
Decision trees
Relationship-based access control
Security policy mining

Access to Document

10.1145/3381991.3395619

Cite this

Bui, T., & Stoller, S. D. (2020). A decision tree learning approach for mining relationship-based access control policies. In SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (pp. 167-178). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). Association for Computing Machinery. https://doi.org/10.1145/3381991.3395619

@inproceedings{3d4ab3feeaab4c67bcb5606542a5ac8c,

title = "A decision tree learning approach for mining relationship-based access control policies",

abstract = "Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents new algorithms, called DTRM (Decision Tree ReBAC Miner) and DTRM-, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. Compared to state-of-the-art ReBAC mining algorithms, our algorithms are significantly faster, achieve comparable policy quality, and can mine policies in a richer language.",

keywords = "Attribute-based access control, Decision trees, Relationship-based access control, Security policy mining",

author = "Thang Bui and Stoller, \{Scott D.\}",

note = "Publisher Copyright: {\textcopyright} 2020 ACM.; 25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020 ; Conference date: 10-06-2020 Through 12-06-2020",

year = "2020",

month = jun,

day = "10",

doi = "10.1145/3381991.3395619",

language = "English",

series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

publisher = "Association for Computing Machinery",

pages = "167--178",

booktitle = "SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies",

}

Bui, T & Stoller, SD 2020, A decision tree learning approach for mining relationship-based access control policies. in SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, Association for Computing Machinery, pp. 167-178, 25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020, Barcelona, Spain, 06/10/20. https://doi.org/10.1145/3381991.3395619

A decision tree learning approach for mining relationship-based access control policies. / Bui, Thang; Stoller, Scott D.
SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2020. p. 167-178 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - A decision tree learning approach for mining relationship-based access control policies

AU - Bui, Thang

AU - Stoller, Scott D.

PY - 2020/6/10

Y1 - 2020/6/10

N2 - Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents new algorithms, called DTRM (Decision Tree ReBAC Miner) and DTRM-, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. Compared to state-of-the-art ReBAC mining algorithms, our algorithms are significantly faster, achieve comparable policy quality, and can mine policies in a richer language.

AB - Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing, by allowing policies to be expressed in terms of chains of relationships between entities. ReBAC policy mining algorithms have the potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy. This paper presents new algorithms, called DTRM (Decision Tree ReBAC Miner) and DTRM-, based on decision trees, for mining ReBAC policies from access control lists (ACLs) and information about entities. Compared to state-of-the-art ReBAC mining algorithms, our algorithms are significantly faster, achieve comparable policy quality, and can mine policies in a richer language.

KW - Attribute-based access control

KW - Decision trees

KW - Relationship-based access control

KW - Security policy mining

UR - https://www.scopus.com/pages/publications/85086824385

U2 - 10.1145/3381991.3395619

DO - 10.1145/3381991.3395619

M3 - Conference contribution

AN - SCOPUS:85086824385

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 167

EP - 178

BT - SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

T2 - 25th ACM Symposium on Access Control Models and Technologies, SACMAT 2020

Y2 - 10 June 2020 through 12 June 2020

ER -

Bui T, Stoller SD. A decision tree learning approach for mining relationship-based access control policies. In SACMAT 2020 - Proceedings of the 25th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery. 2020. p. 167-178. (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). doi: 10.1145/3381991.3395619

A decision tree learning approach for mining relationship-based access control policies

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this