A Nature-Inspired Framework for Optimal Mining of Attribute-Based Access Control Policies

Abstract

Even though attribute-based access control (ABAC) has been applied to address authorization in areas such as cloud and internet of things, implementing ABAC policies can become complex due to the high expressiveness of ABAC specifications. In order to semi-automate this process, several policy mining approaches have been proposed that mostly derive ABAC policies from access request logs. These approaches, however, do not take into account the existing ABAC policies and attempt to define all policies from scratch, which is not acceptable for an enterprise that already has an implemented ABAC system. Given basic assumptions on how access control configurations are generated, we first provide a formal definition of ABAC policy mining with minimal perturbation that fulfills the requirements that enterprises typically have. We then present an effective and efficient methodology based on particle swarm optimization algorithm for addressing the ABAC policy mining and ABAC policy mining with minimal perturbation problems. Experimental results demonstrate that the proposed methodology is able to generate much less complex policies than previous works using the same realistic case studies. Furthermore, we perform experiments on how to find an ABAC state as similar as possible to both the existing state and the optimal state.