TY - JOUR
T1 - A data classification method for inconsistency and incompleteness detection in access control policy sets
AU - Shaikh, Riaz Ahmed
AU - Adi, Kamel
AU - Logrippo, Luigi
N1 - Funding Information:
The work reported in this article was partially supported by the Natural Sciences and Engineering Research Council of Canada, PROMPT Quebec, and CA Technologies. We would like to thank Serge Mankovski of CA Technologies for having helped our effort. The authors would also like to thank all members of the Computer Security Research Lab (UQO,Canada), and Bernard Stepien for providing useful comments and suggestions.
Publisher Copyright:
© 2016, Springer-Verlag Berlin Heidelberg.
PY - 2017/2/1
Y1 - 2017/2/1
N2 - Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.
AB - Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.
KW - Access control
KW - Data classification
KW - Incompleteness
KW - Inconsistency
KW - Policy validation
KW - Redundancy
UR - http://www.scopus.com/inward/record.url?scp=84956859681&partnerID=8YFLogxK
U2 - 10.1007/s10207-016-0317-1
DO - 10.1007/s10207-016-0317-1
M3 - Article
AN - SCOPUS:84956859681
VL - 16
SP - 91
EP - 113
JO - International Journal of Information Security
JF - International Journal of Information Security
SN - 1615-5262
IS - 1
ER -