Abstract
Role mining tackles the problem of finding a role-based access control (RBAC) configuration, given an access-control matrix assigning users to access permissions as input. Most role-mining approaches work by constructing a large set of candidate roles and use a greedy selection strategy to iteratively pick a small subset such that the differences between the resulting RBAC configuration and the access control matrix are minimized. In this article, we advocate an alternative approach that recasts role mining as an inference problem rather than a lossy compression problem. Instead of using combinatorial algorithms to minimize the number of roles needed to represent the access-control matrix, we derive probabilistic models to learn the RBAC configuration that most likely underlies the given matrix.
Our models are generative in that they reflect the way that permissions are assigned to users in a given RBAC configuration. We additionally model how user-permission assignments that conflict with an RBAC configuration emerge and we investigate the influence of constraints on role hierarchies and on the number of assignments. In experiments with access-control matrices from real-world enterprises, we compare our proposed models with other role-mining methods. Our results show that our probabilistic models infer roles that generalize well to new system users for a wide variety of data, while other models’ generalization abilities depend on the dataset given.
Supplemental Material
Available for Download
The proof is given in an electronic appendix, available online in the ACM Digital Library.
- Antoniak, C. E. 1974. Mixtures of Dirichlet processes with applications to Bayesian nonparametric problems. Ann. Stat. 2, 6, 1152--1174.Google Scholar
Cross Ref
- Colantonio, A., Di Pietro, R., and Ocello, A. 2008. A cost-driven approach to role engineering. In Proceedings of the ACM Symposium on Applied Computing (SAC’08). ACM, New York, 2129--2136. Google Scholar
Digital Library
- Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2009a. A formal framework to elicit roles with business meaning in rbac systems. In Proceedings of SACMAT’09. ACM, 85--94. Google Scholar
Digital Library
- Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2009b. Mining stable roles in RBAC. In Proceedings of the 24th International Information Security Conference (SEC’09). Lecture Notes in Computer Science, vol. 297. Springer, 259--269.Google Scholar
- Colantonio, A., Di Pietro, R., Ocello, A., and Verde, N. V. 2011. A new role mining framework to elicit business roles and to mitigate enterprise risk. Decis. Support Syst. 50, 4, 715--731. Google Scholar
Digital Library
- Cover, T. M. and Thomas, J. A. 2006. Elements of Information Theory. Wiley-Interscience. Google Scholar
Digital Library
- Coyne, E. J. 1996. Role engineering. In Proceedings of the ACM Workshop on Role-Based Access Control (RBAC). ACM.Google Scholar
Digital Library
- Domingo-Ferrer, J. and Solanas, A. 2008. A measure of variance for hierarchical nominal attributes. Inf. Sci. 178, 24, 4644--4655. Google Scholar
Digital Library
- Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., and Tarjan, R. E. 2008. Fast exact and heuristic methods for role minimization problems. In Proceedings of SACMAT’08. ACM, 1--10. Google Scholar
Digital Library
- Epstein, P. and Sandhu, R. 2001. Engineering of role/permission assignments. In Proceedings of ACSAC ’01. IEEE Computer Society, Los Alamitos, CA, 127. Google Scholar
Digital Library
- Ferguson, T. S. 1973. A Bayesian analysis of some nonparametric problems. Ann. Stat. 1, 2, 209--230.Google Scholar
Cross Ref
- Ferraiolo, D. F. and Kuhn, D. R. 1992. Role based access control. In Proceedings of the 15th National Computer Security Conference. 554--563.Google Scholar
- Frank, M., Basin, D., and Buhmann, J. M. 2008. A class of probabilistic models for role engineering. In Proceedings of CCS’08. ACM, New York, NY, USA, 299--310. Google Scholar
Digital Library
- Frank, M., Buhmann, J. M., and Basin, D. 2010. On the definition of role mining. In Proceedings of SACMAT. 35--44. Google Scholar
Digital Library
- Frank, M., Chehreghani, M., and Buhmann, J. M. 2011. The minimum transfer cost principle for model-order selection. In Proceedings of ECML PKDD’11: Machine Learning and Knowledge Discovery in Databases. Lecture Notes in Computer Science, vol. 6911. Springer Berlin, 423--438. Google Scholar
Digital Library
- Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. 2009. A probabilistic approach to hybrid role mining. In Proceedings of CCS’09. ACM, New York, 101--111. Google Scholar
Digital Library
- Frank, M., Streich, A. P., Basin, D., and Buhmann, J. M. 2012. Multi-assignment clustering for Boolean data. J. Mach. Learn. Res. 13, 459--489. Google Scholar
Digital Library
- Fuchs, L. and Pernul, G. 2008. Hydro --- Hybrid development of roles. In Proceedings of ICISS’08. Springer-Verlag, Berlin, 287--302. Google Scholar
Digital Library
- Griffiths, T. L. and Ghahramani, Z. 2005. Infinite latent feature models and the indian buffet process. In Proceedings of the Conference on Neural Information Processing Systems. 475--482.Google Scholar
- Guo, Q., Vaidya, J., and Atluri, V. 2008. The role hierarchy mining problem: Discovery of optimal role hierarchies. In Proceedings of ACSAC’08. IEEE Computer Society, Washington, DC, 237--246. Google Scholar
Digital Library
- Hastie, T., Tibshirani, R., and Friedman, J. 2001. The Elements of Statistical Learning. Springer Series in Statistics. Springer.Google Scholar
- Kaban, A. and Bingham, E. 2008. Factorisation and denoising of 0-1 data: A variational approach. Neurocomputing 71, 10--12, 2291--2308. Google Scholar
Digital Library
- Kemp, C., Tenenbaum, J. B., Griffths, T. L., Yamada, T., and Ueda, N. 2006. Learning systems of concepts with an infinite relational model. In Proceedings of the National Conference on Artificial Intelligence. 763--770. Google Scholar
Digital Library
- Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining -- revealing business roles for security administration using data mining technology. In Proceedings of SACMAT’03. ACM, New York, 179--186. Google Scholar
Digital Library
- Li, N., Li, T., Molloy, I., Wang, Q., Bertino, E., Calo, S., and Lobo, J. 2007. Role mining for engineering and optimizing role based access control systems. Tech. rep., Purdue University, IBM T.J.Watson Research Center.Google Scholar
- Lu, H., Vaidya, J., and Atluri, V. 2008. Optimal Boolean matrix decomposition: Application to role engineering. In Proceedings of ICDE’08. IEEE Computer Society, Los Alamitos, CA, 297--306. Google Scholar
Digital Library
- Lu, H., Vaidya, J., Atluri, V., and Hong, Y. 2012. Constraint-aware role mining via extended boolean matrix decomposition. IEEE Trans. Depend. Secur. Comput. 9, 5, 655--669. Google Scholar
Digital Library
- Miettinen, P., Mielikinen, T., Gionis, A., Das, G., and Mannila, H. 2006. The discrete basis problem. In Proceedings of the Symposium on Principles and Practice of Knowledge Discovery in Databases. 335--346. Google Scholar
Digital Library
- Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of SACMAT’08. ACM, New York, 21--30. Google Scholar
Digital Library
- Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2010a. Mining roles with multiple objectives. ACM Trans. Inf. Syst. Secur. 13, 4, 36:1--36:35. Google Scholar
Digital Library
- Molloy, I., Li, N., Qi, Y. A., Lobo, J., and Dickens, L. 2010b. Mining roles with noisy data. In Proceedings of SACMAT’10. 45--54. Google Scholar
Digital Library
- Neumann, G. and Strembeck, M. 2002. A scenario-driven role engineering process for functional RBAC roles. In Proceedings of SACMAT’02. ACM, New York, 33--42. Google Scholar
Digital Library
- Schlegelmilch, J. and Steffens, U. 2005. Role mining with ORCA. In Proceedings of SACMAT’05. ACM, New York, 168--176. Google Scholar
Digital Library
- Streich, A. P., Frank, M., Basin, D., and Buhmann, J. M. 2009. Multi-assignment clustering for Boolean data. In Proceedings of ICML’09. ACM, New York, 969--976. Google Scholar
Digital Library
- Vaidya, J., Atluri, V., and Warner, J. 2006. Roleminer: Mining roles using subset enumeration. In Proceedings of CCS’06. ACM, New York, 144--153. Google Scholar
Digital Library
- Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of SACMAT’07. ACM, New York, 175--184. Google Scholar
Digital Library
- Vaidya, J., Atluri, V., and Guo, Q. 2010a. The role mining problem: A formal perspective. ACM Trans. Inf. Syst. Secur. 13, 3, 27:1--27:31. Google Scholar
Digital Library
- Vaidya, J., Atluri, V., Warner, J., and Guo, Q. 2010b. Role engineering via prioritized subset enumeration. IEEE Trans. Depend. Secure Comput. 7, 300--314. Google Scholar
Digital Library
- Wood, F., Griffiths, T., and Ghahramani, Z. 2006. A non-parametric Bayesian method for inferring hidden causes. In Proceedings of the Conference on Uncertainty in Artificial Intelligence. 536--543.Google Scholar
- Xu, Z. and Stoller, S. D. 2012. Algorithms for mining meaningful roles. In Proceedings of SACMAT’12. Google Scholar
Digital Library
- Zhang, D., Ramamohanarao, K., and Ebringer, T. 2007. Role engineering using graph optimisation. In Proceedings of SACMAT’07. ACM, New York, 139--144. Google Scholar
Digital Library
Index Terms
Role Mining with Probabilistic Models
Recommendations
PBDM: a flexible delegation model in RBAC
SACMAT '03: Proceedings of the eighth ACM symposium on Access control models and technologiesRole-based access control (RBAC) is recognized as an efficient access control model for large organizations. Most organizations have some business rules related to access control policy. Delegation of authority is among these rules. RBDM0 and RDM2000 ...
An effective role administration model using organization structure
Role-based access control (RBAC) is a well-accepted model for access control in an enterprise environment. When we apply RBAC model to large enterprises, effective role administration is a major issue. ARBAC97 is a well-known solution for decentralized ...
Role Mining in the Presence of Separation of Duty Constraints
ICISS 2015: Proceedings of the 11th International Conference on Information Systems Security - Volume 9478In recent years, Role Based Access Control RBAC has emerged as the most popular access control mechanism, especially for commercial applications. In RBAC, permissions are assigned to roles, which are then assigned to users. The key to the effectiveness ...






Comments