LMN: A Tool for Generating Machine Enforceable Policies from Natural Language Access Control Rules using LLMs
Pratik Sonune, Ritwik Rai, Shamik Sural, Vijayalakshmi Atluri, Ashish Kundu
TL;DR
This work tackles translating Natural Language Access Control Policies (NLACPs) into Machine Enforceable Security Policies (MESPs) for ABAC. It introduces LMN, a free web-based tool that uses GPT-3.5 to generate ABAC rules from NLACPs, with two usage modes depending on attribute availability. The authors perform extensive prompt engineering and evaluate using BERTScore, ROUGE, and real-case datasets, showing high accuracy and competitive processing times. The approach lowers manual effort for policy translation, enabling scalable ABAC enforcement across organizations while offering a practical, accessible solution for security officers.
Abstract
Organizations often lay down rules or guidelines called Natural Language Access Control Policies (NLACPs) for specifying who gets access to which information and when. However, these cannot be directly used in a target access control model like Attribute-based Access Control (ABAC). Manually translating the NLACP rules into Machine Enforceable Security Policies (MESPs) is both time consuming and resource intensive, rendering it infeasible especially for large organizations. Automated machine translation workflows, on the other hand, require information security officers to be adept at using such processes. To effectively address this problem, we have developed a free web-based publicly accessible tool called LMN (LLMs for generating MESPs from NLACPs) that takes an NLACP as input and converts it into a corresponding MESP. Internally, LMN uses the GPT 3.5 API calls and an appropriately chosen prompt. Extensive experiments with different prompts and performance metrics firmly establish the usefulness of LMN.