Greedy and evolutionary algorithms for mining relationship-based access control policies

作     者：Bui, Thang Stoller, Scott D. Li, Jiajie 

作者机构：SUNY Stony Brook Dept Comp Sci Stony Brook NY 11794 USA 

出 版 物：《COMPUTERS & SECURITY》 (计算机与安全)

年 卷 期：2019年第80卷

页      面：317-333页

核心收录：

学科分类：08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：NSF [CNS-1421893, CCF-1414078] ONR [N00014-15-1-2208] AFOSR [FA9550-14-1-0261] DARPA [FA8650-15-C-7561] 

主　　题：Access control policy mining Relationship-based access control Attribute-based access control Evolutionary algorithms Access control policy development 

摘      要：Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents two algorithms for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model: a greedy algorithm guided by heuristics, and a grammar-based evolutionary algorithm. An evaluation of the algorithms on four sample policies and two large case studies demonstrates their effectiveness. (C) 2018 Elsevier Ltd. All rights reserved.