News‎ > ‎

Automatic Generation of Access Control Policies

posted Dec 2, 2014, 3:26 AM by Alberto Bartoli   [ updated Mar 23, 2015, 2:54 AM by Eric Medvet ]
New publication of the lab at the (biennal and prestigious) 8-th International Conference on Evolutionary Multiobjective Optimizationin collaboration with Prof. Elena Ferrari and Prof. Barbara Carminati

In this work we consider a challenging security-related problem: how to generate access control rules expressed in a modern attribute-based access control language automatically, starting from a set of examples in the form of a log of requests to be allowed and of requests to be denied.
  • The interest in attribute-based access control policies is increasingly growing due to their ability to accommodate the complex security requirements of modern computer systems.
  • With this novel paradigm, access control policies consist of attribute expressions which implicitly describe the properties of subjects and protection objects and which must be satisfied for a request to be allowed.
  •  Since specifying a policy in this framework may be very complex, approaches for policy mining, i.e., for inferring a specification automatically from examples in the form of logs of authorized and denied requests, have been recently proposed.
We solve this problem with an evolutionary approach that is capable of dealing successfully with case studies of realistic complexity. We designed and implemented this approach that exhibits several interesting features:
  • We use a multi-objective optimization strategy tailored to this problem.
  • We designed and implemented a problem representation suitable for evolutionary computation;
  • We designed and implemented several search-optimizing features which have proven to be highly useful in this context: a strategy for learning a policy by learning single rules, each one focused on a subset of requests; a custom initialization of the population; a scheme for diversity promotion and for early termination.
This work greatly benefited from our strong experience in automatic generation of regular expressions from examples. It also allowed us to identify new strategies that are extremely useful also for those problems---we will describe them publicly soon, stay tuned.

This multi-objective optimization problem is probably more interesting but certainly less funny than other problems that we have considered earlier in the lab (see "Design of Footbal Teams").