Table of Contents
Fetching ...

An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining

Thang Bui, Elliot Shabram, Anthony Matricia

TL;DR

The paper tackles the challenge of missing attribute values in ABAC policy mining by predicting missing attributes through a two-phase approach: contextual clustering of users and resources, followed by regression-based analysis of group-specific entitlements to infer missing values with assigned confidence levels. It adopts Xu et al.'s ABAC policy language and defines the problem in terms of predicting missing attributes with $\langle \text{High}, \text{Medium}, \text{NEI} \rangle$ confidence, using $E_0$ entitlements as the basis for learning. The method leverages a Jaccard-based similarity on non-NULL attributes and a linear regression model to identify top features that influence permissions, enabling targeted predictions via a top-$N$ feature framework $\langle \text{numHigh}, \text{numMed} \rangle$. Experimental results on University and Project Management datasets show high accuracy for predicted values (often $100\%$ for high-confidence predictions) and robust coverage, demonstrating the approach's potential to smooth the transition to ABAC and provide data-quality insights for policy mining, with potential extensions to ReBAC settings.

Abstract

Attribute-Based Access Control (ABAC) enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies from legacy access control systems can significantly reduce the costs associated with migrating to ABAC. However, a major challenge in this process is handling incomplete entity information, where some attribute values are missing. This paper introduces an approach that enhances the policy mining process by predicting or inferring missing attribute values. This is accomplished by employing a contextual clustering technique that groups entities according to their known attributes, which are then used to analyze and refine authorization decisions. By effectively managing incomplete data, our approach provides security administrators with a valuable tool to improve their attribute data and ensure a smoother, more efficient transition to ABAC.

An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining

TL;DR

The paper tackles the challenge of missing attribute values in ABAC policy mining by predicting missing attributes through a two-phase approach: contextual clustering of users and resources, followed by regression-based analysis of group-specific entitlements to infer missing values with assigned confidence levels. It adopts Xu et al.'s ABAC policy language and defines the problem in terms of predicting missing attributes with confidence, using entitlements as the basis for learning. The method leverages a Jaccard-based similarity on non-NULL attributes and a linear regression model to identify top features that influence permissions, enabling targeted predictions via a top- feature framework . Experimental results on University and Project Management datasets show high accuracy for predicted values (often for high-confidence predictions) and robust coverage, demonstrating the approach's potential to smooth the transition to ABAC and provide data-quality insights for policy mining, with potential extensions to ReBAC settings.

Abstract

Attribute-Based Access Control (ABAC) enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies from legacy access control systems can significantly reduce the costs associated with migrating to ABAC. However, a major challenge in this process is handling incomplete entity information, where some attribute values are missing. This paper introduces an approach that enhances the policy mining process by predicting or inferring missing attribute values. This is accomplished by employing a contextual clustering technique that groups entities according to their known attributes, which are then used to analyze and refine authorization decisions. By effectively managing incomplete data, our approach provides security administrators with a valuable tool to improve their attribute data and ensure a smoother, more efficient transition to ABAC.
Paper Structure (13 sections, 4 figures)

This paper contains 13 sections, 4 figures.

Figures (4)

  • Figure 1: Algorithm for predicting a user missing attribute value.
  • Figure 2: Sample university policy.
  • Figure 3: Evaluation methodology
  • Figure 4: Experimental results for our algorithm on datasets with different missing percentages (Miss. %). "Acc" is the average accuracy achieved on each policy. "Acc" is the average accuracy achieved on each policy."Time" is the average running time for each policy, measured in seconds. "#object" and "#attrs" are the average number of objects and the number of attributes for each input policy, respectively.