391 research outputs found
Mining Stable Roles in RBAC
Abstract In this paper we address the problem of generating a candidate role set for an RBAC configuration that enjoys the following two key features: it minimizes the admin-istration cost; and, it is a stable candidate role-set. To achieve these goals, we implement a three steps methodology: first, we associate a weight to roles; second, we identify and remove the user-permission assignments that can not belong to a role having a weight ex-ceeding a given threshold; third, we restrict the problem of finding a candidate role-set for the given system configuration using only the user-permission assignments that have not been removed in step two (that is, user-permission assignments that belong to roles having a weight exceeding the given threshold). We formally show —proof of our results are rooted in graph theory — that this methodol-ogy achieves the intended goals. Finally, we discuss practical applications of our approach to the role mining problem.
Logic Programming Applications: What Are the Abstractions and Implementations?
This article presents an overview of applications of logic programming,
classifying them based on the abstractions and implementations of logic
languages that support the applications. The three key abstractions are join,
recursion, and constraint. Their essential implementations are for-loops, fixed
points, and backtracking, respectively. The corresponding kinds of applications
are database queries, inductive analysis, and combinatorial search,
respectively. We also discuss language extensions and programming paradigms,
summarize example application problems by application areas, and touch on
example systems that support variants of the abstractions with different
implementations
Application of Risk Metrics for Role Mining
Incorporating risk consideration in access control systems has recently become a popular research topic. Related to this is risk awareness which is needed to enable access control in an agile and dynamic way. While risk awareness is probably known for an established access control system, being aware of risk even before the access control system is defined can mean identification of users and permissions that are most likely to lead to dangerous or error-prone situations from an administration point of view. Having this information available during the role engineering phase allows data analysts and role engineers to highlight potentially risky users and permissions likely to be misused. While there has been much recent work on role mining, there has been little consideration of risk during the process. In this thesis, we propose to add risk awareness to role mining. We aggregate the various possible risk factors and categorize them into four general types, which we refer to as risk metrics, in the context of role mining. Next, we propose a framework that incorporates some specific examples of each of these risk metrics before and after role mining. We have implemented a proof-of-concept prototype, a Risk Awareness system for Role Mining (aRARM) based on this framework and applied it to two case studies: a small organizational project and a university database setting. The aRARM prototype is automatically able to detect different types of risk factors when we add different types of noise to this data. The results from the two case studies draw some correlation between the behavior of the different risk factors due to different types and amounts of noise. We also discuss the effect of the different types and amounts of noise on the different role mining algorithms implemented for this study. While the detection rating value for calculating the risk priority number has previously been calculated after role mining, we attempt to find an initial estimate of the detection rating before role mining
Extracting Role-Based Access Control Models from Business Process Event Logs
Keeruliste äriprotsesside ja järjest suurenevate andmemahtude juures on väljakutsuvaks
ülesandeks analüüsida ja parandada ettevõtte äriprotsessi andmeturvalisust. Infosüsteemid,
mis toetavad äriprotsessi mudeli (abstraktne esitus äriprotsessist) rakendamist, registreerivad
äriprotsessi tegevusi sündmustena eraldi logisse. Salvestatud sündmuste logid on aluseks
äriprotsessiga seotud andmete kaevamiseks. Need andmed on vajalikud äriprotsessi
analüüsimiseks ja parendamiseks, kuid neid andmeid võib kasutada ka turvaanalüüsiks.
Turvaanalüüsi üheks eesmärgiks on ka kontrollida, kas nende andmete hulgas turvalisusega
seotud informatsioon on kooskõlas praeguste turvanõuetega. Lisaks, äriprotsessi logide peal
saab rakendada äriprotsessikaeve (uurimisvaldkond, mis ühendab andmekaeve ja
äriprotsesside modelleerimise) tehnikaid, et luua äriprotsessi mudeleid. Lisaks äriprotsessi
mudelitele on võimalik tuletada ka teisi mudeleid, näiteks turvamudeleid, mida saab hiljem
kasutada turvameetmete tagamiseks infosüsteemis. Käesoleva töö eesmärgiks on esitada üks
võimalik meetod, kuidas luua rollipõhist ligipääsukontrolli esitatavaid turvamudeleid (Role-
Based Access Control models) XES-formaadis sündmuste logidest, mis on salvestatud
äriprotsessi toetava infosüsteemi poolt. Lisatähelepanu on suunatud kaitstavate infovarade
väljaselgitamiseks sündmuste logide põhjal. Need infovarad on näiteks dokumendid,
dokumendiväljad, või muud andmed, mida töödeldakse äriprotsessi tegevuste jooksul. Lisaks,
me hindame antud meetodi rakendatavust reaalse äriprotsessi sündmuste logi peal. Ühe
võimaliku meetodina me kontrollime sündmuste logi andmete ja seoste vastavust juurdepääsu
õigustega olemasoleva rollipõhise juurdepääsu kontrolli turvamudelis. Lõppkokkuvõttes võib
sündmuste logidest tuletatud rollipõhist ligipääsu kontrolli mudelit võtta aluseks
turvaanalüüsiks või rakendada mõnes süsteemis juurdepääsumehhanismina.Today, as business processes are getting more complex and the volumes of stored data about
business process executions are increasing in size, collecting information for the analysis and
for the improvement of the business process security1, is becoming a complex task.
Information systems that support business processes record business process executions into
event logs which capture the behavior of system usage in terms of events. Business process
event logs can be used for analysing and improving the business process, but also for
analysing the information security. One of the main goals of security analysis is to check the
compliance with existing security requirements. Also event logs can be the basis for business
process mining, or shortly process mining. Utilizing bottom-up process mining on event logs,
we can extract business process-related information for security analysis. Process mining is
not just only for discovering business process models, but also other models, such as security
models. For this purpose, we present a possible approach to extract RBAC models
(semi-)automatically from event logs in XES format. The focus is also on determining the
protected business assets, such as document or other artifact data that is exchanged and
accessed during business process activities. In addition, we evaluate the applicability of this
approach with conformance checking where we check the compliance of a real-life event log
with respect to the LTL constraints translated from RBAC model. Eventually, the purpose of
the extracted RBAC models is that they provide a basis for security analysis and they can be
adapted by other applications in order to implement access control mechanism
Attribute-Based Access Control Policy Generation Approach from Access Logs Based on CatBoost
Attribute-based access control (ABAC) has higher flexibility and better scalability than traditional access control and can be used for fine-grained access control of large-scale information systems. Although ABAC can depict a dynamic, complex access control policy, it is costly, tedious, and error-prone to manually define. Therefore, it is worth studying how to construct an ABAC policy efficiently and accurately. This paper proposes an ABAC policy generation approach based on the CatBoost algorithm to automatically learn policies from historical access logs. First, we perform a weighted reconstruction of the attributes for the policy to be mined. Second, we provide an ABAC rule extraction algorithm, rule pruning algorithm, and rule optimization algorithm, among which the rule pruning and rule optimization algorithms are used to improve the accuracy of the generated policies. In addition, we present a new policy quality indicator to measure the accuracy and simplicity of the generated policies. Finally, the results of an experiment conducted to validate the approach verify its feasibility and effectiveness
- …