Bi-objective Optimization in Role Mining

TL;DR

The Generalized Noise Role Mining problem (GNRM)—a generalization of the MinNoise Role Mining problem—is introduced and can produce “security-aware” or “availability-aware” solutions, and a bi-objective optimization variant of GNRM is introduced, where the Pareto front of this bi-objective optimization problem (BO-GNRM) can be computed in fixed-parameter tractable time.

Abstract

Role mining is a technique used to derive a role-based authorization policy from an existing policy. Given a set of users $U$, a set of permissions $P$ and a user-permission authorization relation $\mahtit{UPA}\subseteq U\times P$, a role mining algorithm seeks to compute a set of roles $R$, a user-role authorization relation $\mathit{UA}\subseteq U\times R$ and a permission-role authorization relation $\mathit{PA}\subseteq R\times P$, such that the composition of $\mathit{UA}$ and $\mathit{PA}$ is close (in some appropriate sense) to $\mathit{UPA}$. In this paper, we first introduce the Generalized Noise Role Mining problem (GNRM) -- a generalization of the MinNoise Role Mining problem -- which we believe has considerable practical relevance. Extending work of Fomin et al., we show that GNRM is fixed parameter tractable, with parameter $r + k$, where $r$ is the number of roles in the solution and $k$ is the number of discrepancies between $\mathit{UPA}$ and the relation defined by the composition of $\mathit{UA}$ and $\mathit{PA}$. We further introduce a bi-objective optimization variant of GNRM, where we wish to minimize both $r$ and $k$ subject to upper bounds $r\le \bar{r}$ and $k\le \bar{k}$, where $\bar{r}$ and $\bar{k}$ are constants. We show that the Pareto front of this bi-objective optimization problem (BO-GNRM) can be computed in fixed-parameter tractable time with parameter $\bar{r}+\bar{k}$. We then report the results of our experimental work using the integer programming solver Gurobi to solve instances of BO-GNRM. Our key findings are that (a) we obtained strong support that Gurobi's performance is fixed-parameter tractable, (b) our results suggest that our techniques may be useful for role mining in practice, based on our experiments in the context of three well-known real-world authorization policies.

Figures (8)

• Figure 1: Solutions of OO-GNRM and BO-GNRM, where all the circles are solutions of OO-GNRM and all the large circles form $\hat{P}$. Note that points $(1,k_{\min}(1))$ and $(2,k_{\min}(2))$ are not depicted since $k_{\min}(2)>\bar{k}$.
• Figure 2: CSP formulation of GNRM.
• Figure 3: This graph demonstrates how our model $f(k_{\min}, \sigma)$ (surface) fits the data aggregated into $t_{k_{\min}, j}$ (scatter plot). The colour represents the time (the value along the vertical axis).
• Figure 4: The aggregated data $t_{k, j}$ and the best fit model $f(k, \sigma)$ sliced along the $k$ axis.
• Figure 5: The aggregated data $t_{k_{\min}, j}$ and the best fit model $f(k_{\min}, \sigma)$ sliced along the $\sigma$ axis.

Theorems & Definitions (11)

• Proposition 2.2
• Lemma 2.3
• Lemma 2.4
• proof
• Theorem 2.5
• proof
• Lemma 2.6
• proof
• Theorem 2.7
• proof