Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Generation of Human Comprehensible Access Control Policies from Audit Logs

Gautam Kumar, Ravi Sundaram, Shamik Sural

Abstract

Over the years, access control systems have become increasingly more complex, often causing a disconnect between what is envisaged by the stakeholders in decision-making positions and the actual permissions granted as evidenced from access logs. For instance, Attribute-based Access Control (ABAC), which is a flexible yet complex model typically configured by system security officers, can be made understandable to others only when presented at a high level in natural language. Although several algorithms have been proposed in the literature for automatic extraction of ABAC rules from access logs, there is no attempt yet to bridge the semantic gap between the machine-enforceable formal logic and human-centric policy intent. Our work addresses this problem by developing a framework that generates human understandable natural language access control policies from logs. We investigate to what extent the power of Large Language Models (LLMs) can be harnessed to achieve both accuracy and scalability in the process. Named LANTERN (LLM-based ABAC Natural Translation and Explanation for Rule Navigation), we have instantiated the framework as a publicly accessible web based application for reproducibility of our results.

Generation of Human Comprehensible Access Control Policies from Audit Logs

Abstract

Over the years, access control systems have become increasingly more complex, often causing a disconnect between what is envisaged by the stakeholders in decision-making positions and the actual permissions granted as evidenced from access logs. For instance, Attribute-based Access Control (ABAC), which is a flexible yet complex model typically configured by system security officers, can be made understandable to others only when presented at a high level in natural language. Although several algorithms have been proposed in the literature for automatic extraction of ABAC rules from access logs, there is no attempt yet to bridge the semantic gap between the machine-enforceable formal logic and human-centric policy intent. Our work addresses this problem by developing a framework that generates human understandable natural language access control policies from logs. We investigate to what extent the power of Large Language Models (LLMs) can be harnessed to achieve both accuracy and scalability in the process. Named LANTERN (LLM-based ABAC Natural Translation and Explanation for Rule Navigation), we have instantiated the framework as a publicly accessible web based application for reproducibility of our results.
Paper Structure (13 sections, 5 figures, 4 tables)

This paper contains 13 sections, 5 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. LANTERN Design and Implementation
  4. Design Considerations for LANTERN
  5. Implementation Details
  6. Experimental Results
  7. Dataset Generation
  8. Evaluation of LLM-Generated Code
  9. Evaluation of Comprehensibility of Generated Policies
  10. Ablation Study
  11. Related Work
  12. Conclusion and Future Work
  13. Appendix - Illustrative Example

Figures (5)

  • Figure 1: Two-stage, LLM-driven architecture of LANTERN: Stage 1 (Code Generation) and Stage 2 (Policy Summarization)
  • Figure 2: Structured prompt architecture for LANTERN: Code generation (left) and Policy Summarization (right)
  • Figure 3: Evaluation of policy mining coverage. (a) Impact of increasing user attributes for ABAC logs (b) Impact of increasing object attributes for ABAC logs and (c) Effectiveness on logs from native ABAC and legacy DAC systems.
  • Figure 4: Evaluation of policy mining performance in terms of execution time in seconds for ABAC logs
  • Figure 5: Log Coverage (%) vs. Log Size for the three evaluated methodologies.