A Top-Down Policy Engineering Framework for Attribute-Based Access Control

Narouei, Masoud

05 1900

The purpose of this study is to propose a top-down policy engineering framework for attribute-based access control (ABAC) that aims to automatically extract ACPs from requirement specifications documents, and then, using the extracted policies, build or update an ABAC model. We specify a procedure that consists of three main components: 1) ACP sentence identification, 2) policy element extraction, and 3) ABAC model creation and update. ACP sentence identification processes unrestricted natural language documents and identify the sentences that carry ACP content. We propose and compare three different methodologies from different disciplines, namely deep recurrent neural networks (RNN-based), biological immune system (BIS-based), and a combination of multiple natural language processing techniques (PMI-based) in order to identify the proper methodology for extracting ACP sentences from irrelevant text. Our evaluation results improve the state-of-the-art by a margin of 5% F1-Measure. To aid future research, we also introduce a new dataset that includes 5000 sentences from real-world policy documents. ABAC policy extraction extracts ACP elements such as subject, object, and action from the identified ACPs. We use semantic roles and correctly identify ACP elements with an average F1 score of 75%, which bests the previous work by 15%. Furthermore, as SRL tools are often trained on publicly available corpora such as Wall Street Journal, we investigate the idea of improving SRL performance using domain-related knowledge. We utilize domain adaptation and semi-supervised learning techniques and improve the SRL performance by 2% using only a small amount of access control data. The third component, ABAC model creation and update, builds a new ABAC model or updates an existing one using the extracted ACP elements. For this purpose, we present an efficient methodology based on a particle swarm optimization algorithm for solving ABAC policy mining with minimal perturbation. Experimental results demonstrate that the proposed methodology generates much less complex policies than previous works using the same realistic case studies. Furthermore, we perform experiments on how to find an ABAC state as similar as possible to both the existing state and the optimal state. Part of the data utilized in this study was collected from the University of North Texas Policy Office, as well as policy documents from the university of North Texas Health Science Center, for the school years 2015-2016 through 2016-2017.

Attribute-based Access Control

Policy Engineering

Access Control Policy

Frameworks for Attribute-Based Access Control (ABAC) Policy Engineering

Alohaly, Manar

08 1900

In this disseration we propose semi-automated top-down policy engineering approaches for attribute-based access control (ABAC) development. Further, we propose a hybrid ABAC policy engineering approach to combine the benefits and address the shortcomings of both top-down and bottom-up approaches. In particular, we propose three frameworks: (i) ABAC attributes extraction, (ii) ABAC constraints extraction, and (iii) hybrid ABAC policy engineering. Attributes extraction framework comprises of five modules that operate together to extract attributes values from natural language access control policies (NLACPs); map the extracted values to attribute keys; and assign each key-value pair to an appropriate entity. For ABAC constraints extraction framework, we design a two-phase process to extract ABAC constraints from NLACPs. The process begins with the identification phase which focuses on identifying the right boundary of constraint expressions. Next is the normalization phase, that aims at extracting the actual elements that pose a constraint. On the other hand, our hybrid ABAC policy engineering framework consists of 5 modules. This framework combines top-down and bottom-up policy engineering techniques to overcome the shortcomings of both approaches and to generate policies that are more intuitive and relevant to actual organization policies. With this, we believe that our work takes essential steps towards a semi-automated ABAC policy development experience.

constraints extraction framework

attribute-based access control (ABAC)

top-down policy engineering approaches