An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining
Thang Bui, Elliot Shabram, Anthony Matricia
TL;DR
The paper tackles the challenge of missing attribute values in ABAC policy mining by predicting missing attributes through a two-phase approach: contextual clustering of users and resources, followed by regression-based analysis of group-specific entitlements to infer missing values with assigned confidence levels. It adopts Xu et al.'s ABAC policy language and defines the problem in terms of predicting missing attributes with $\langle \text{High}, \text{Medium}, \text{NEI} \rangle$ confidence, using $E_0$ entitlements as the basis for learning. The method leverages a Jaccard-based similarity on non-NULL attributes and a linear regression model to identify top features that influence permissions, enabling targeted predictions via a top-$N$ feature framework $\langle \text{numHigh}, \text{numMed} \rangle$. Experimental results on University and Project Management datasets show high accuracy for predicted values (often $100\%$ for high-confidence predictions) and robust coverage, demonstrating the approach's potential to smooth the transition to ABAC and provide data-quality insights for policy mining, with potential extensions to ReBAC settings.
Abstract
Attribute-Based Access Control (ABAC) enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies from legacy access control systems can significantly reduce the costs associated with migrating to ABAC. However, a major challenge in this process is handling incomplete entity information, where some attribute values are missing. This paper introduces an approach that enhances the policy mining process by predicting or inferring missing attribute values. This is accomplished by employing a contextual clustering technique that groups entities according to their known attributes, which are then used to analyze and refine authorization decisions. By effectively managing incomplete data, our approach provides security administrators with a valuable tool to improve their attribute data and ensure a smoother, more efficient transition to ABAC.
