skip to main content
research-article

Role Mining with Probabilistic Models

Published:01 April 2013Publication History
Skip Abstract Section

Abstract

Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role-mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this article, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix.

Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role-mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models’ generalization abilities depend on the dataset given.

Skip Supplemental Material Section

Supplemental Material

References

  1. Antoniak, C. E. 1974. Mixtures of Dirichlet processes with applications to Bayesian nonparametric problems. Ann. Stat. 2, 6, 1152--1174.Google ScholarGoogle ScholarCross RefCross Ref
  2. Colantonio, A., Di Pietro, R., and Ocello, A. 2008. A cost-driven approach to role engineering. In Proceedings of the ACM Symposium on Applied Computing (SAC’08). ACM, New York, 2129--2136. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2009a. A formal framework to elicit roles with business meaning in rbac systems. In Proceedings of SACMAT’09. ACM, 85--94. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2009b. Mining stable roles in RBAC. In Proceedings of the 24th International Information Security Conference (SEC’09). Lecture Notes in Computer Science, vol. 297. Springer, 259--269.Google ScholarGoogle Scholar
  5. Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2011. A new role mining framework to elicit business roles and to mitigate enterprise risk. Decis. Support Syst. 50, 4, 715--731. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Cover, T. M. and Thomas, J. A. 2006. Elements of Information Theory. Wiley-Interscience. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Coyne, E. J. 1996. Role engineering. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC). ACM.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Domingo-Ferrer, J. and Solanas, A. 2008. A measure of variance for hierarchical nominal attributes. Inf. Sci. 178, 24, 4644--4655. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R. E. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of SACMAT’08. ACM, 1--10. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Epstein, P. and Sandhu, R. 2001. Engineering of role/permission assignments. In Proceedings of ACSAC ’01. IEEE Computer Society, Los Alamitos, CA, 127. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Ferguson, T. S. 1973. A Bayesian analysis of some nonparametric problems. Ann. Stat. 1, 2, 209--230.Google ScholarGoogle ScholarCross RefCross Ref
  12. Ferraiolo, D. F. and Kuhn, D. R. 1992. Role based access control. In Proceedings of the 15th National Computer Security Conference. 554--563.Google ScholarGoogle Scholar
  13. Frank, M., Basin, D., and Buhmann, J. M. 2008. A class of probabilistic models for role engineering. In Proceedings of CCS’08. ACM, New York, NY, USA, 299--310. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Frank, M., Buhmann, J. M., and Basin, D. 2010. On the definition of role mining. In Proceedings of SACMAT. 35--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Frank, M., Chehreghani, M., and Buhmann, J. M. 2011. The minimum transfer cost principle for model-order selection. In Proceedings of ECML PKDD’11: Machine Learning and Knowledge Discovery in Databases. Lecture Notes in Computer Science, vol. 6911. Springer Berlin, 423--438. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. 2009. A probabilistic approach to hybrid role mining. In Proceedings of CCS’09. ACM, New York, 101--111. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. 2012. Multi-assignment clustering for Boolean data. J. Mach. Learn. Res. 13, 459--489. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Fuchs, L. and Pernul, G. 2008. Hydro --- Hybrid development of roles. In Proceedings of ICISS’08. Springer-Verlag, Berlin, 287--302. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Griffiths, T. L. and Ghahramani, Z. 2005. Infinite latent feature models and the indian buffet process. In Proceedings of the Conference on Neural Information Processing Systems. 475--482.Google ScholarGoogle Scholar
  20. Guo, Q., Vaidya, J., and Atluri, V. 2008. The role hierarchy mining problem: Discovery of optimal role hierarchies. In Proceedings of ACSAC’08. IEEE Computer Society, Washington, DC, 237--246. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hastie, T., Tibshirani, R., and Friedman, J. 2001. The Elements of Statistical Learning. Springer Series in Statistics. Springer.Google ScholarGoogle Scholar
  22. Kaban, A. and Bingham, E. 2008. Factorisation and denoising of 0-1 data: A variational approach. Neurocomputing 71, 10--12, 2291--2308. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kemp, C., Tenenbaum, J. B., Griffths, T. L., Yamada, T., and Ueda, N. 2006. Learning systems of concepts with an infinite relational model. In Proceedings of the National Conference on Artificial Intelligence. 763--770. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining -- revealing business roles for security administration using data mining technology. In Proceedings of SACMAT’03. ACM, New York, 179--186. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Li, N., Li, T., Molloy, I., Wang, Q., Bertino, E., Calo, S., and Lobo, J. 2007. Role mining for engineering and optimizing role based access control systems. Tech. rep., Purdue University, IBM T.J.Watson Research Center.Google ScholarGoogle Scholar
  26. Lu, H., Vaidya, J., and Atluri, V. 2008. Optimal Boolean matrix decomposition: Application to role engineering. In Proceedings of ICDE’08. IEEE Computer Society, Los Alamitos, CA, 297--306. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Lu, H., Vaidya, J., Atluri, V., and Hong, Y. 2012. Constraint-aware role mining via extended boolean matrix decomposition. IEEE Trans. Depend. Secur. Comput. 9, 5, 655--669. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Miettinen, P., Mielikinen, T., Gionis, A., Das, G., and Mannila, H. 2006. The discrete basis problem. In Proceedings of the Symposium on Principles and Practice of Knowledge Discovery in Databases. 335--346. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of SACMAT’08. ACM, New York, 21--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2010a. Mining roles with multiple objectives. ACM Trans. Inf. Syst. Secur. 13, 4, 36:1--36:35. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Molloy, I., Li, N., Qi, Y. A., Lobo, J., and Dickens, L. 2010b. Mining roles with noisy data. In Proceedings of SACMAT’10. 45--54. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Neumann, G. and Strembeck, M. 2002. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of SACMAT’02. ACM, New York, 33--42. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Schlegelmilch, J. and Steffens, U. 2005. Role mining with ORCA. In Proceedings of SACMAT’05. ACM, New York, 168--176. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Streich, A. P., Frank, M., Basin, D., and Buhmann, J. M. 2009. Multi-assignment clustering for Boolean data. In Proceedings of ICML’09. ACM, New York, 969--976. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Vaidya, J., Atluri, V., and Warner, J. 2006. Roleminer: Mining roles using subset enumeration. In Proceedings of CCS’06. ACM, New York, 144--153. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of SACMAT’07. ACM, New York, 175--184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Vaidya, J., Atluri, V., and Guo, Q. 2010a. The role mining problem: A formal perspective. ACM Trans. Inf. Syst. Secur. 13, 3, 27:1--27:31. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Vaidya, J., Atluri, V., Warner, J., and Guo, Q. 2010b. Role engineering via prioritized subset enumeration. IEEE Trans. Depend. Secure Comput. 7, 300--314. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Wood, F., Griffiths, T., and Ghahramani, Z. 2006. A non-parametric Bayesian method for inferring hidden causes. In Proceedings of the Conference on Uncertainty in Artificial Intelligence. 536--543.Google ScholarGoogle Scholar
  40. Xu, Z. and Stoller, S. D. 2012. Algorithms for mining meaningful roles. In Proceedings of SACMAT’12. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Zhang, D., Ramamohanarao, K., and Ebringer, T. 2007. Role engineering using graph optimisation. In Proceedings of SACMAT’07. ACM, New York, 139--144. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Role Mining with Probabilistic Models

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Information and System Security
        ACM Transactions on Information and System Security  Volume 15, Issue 4
        April 2013
        117 pages
        ISSN:1094-9224
        EISSN:1557-7406
        DOI:10.1145/2445566
        Issue’s Table of Contents

        Copyright © 2013 ACM

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 1 April 2013
        • Accepted: 1 December 2012
        • Revised: 1 October 2012
        • Received: 1 June 2012
        Published in tissec Volume 15, Issue 4

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
        • Research
        • Refereed

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!