skip to main content
research-article

Detecting and resolving policy misconfigurations in access-control systems

Published: 06 June 2011 Publication History

Abstract

Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration, and, in the context of particular applications (e.g., health care), very severe consequences. In this article we apply association rule mining to the history of accesses to predict changes to access-control policies that are likely to be consistent with users' intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires the consent of the appropriate administrator, of course, and so a primary contribution of our work is how to automatically determine from whom to seek consent and how to minimize the costs of doing so. We show using data from a deployed access-control system that our methods can reduce the number of accesses that would have incurred costly time-of-access delays by 43%, and can correctly predict 58% of the intended policy. These gains are achieved without impacting the total amount of time users spend interacting with the system.

References

[1]
Agrawal, R. and Srikant, R. 1994. Fast algorithms for mining association rules. In Proceedings of the 20th International Conference on Very Large Data Bases (VLDB).
[2]
Al-Shaer, E. S. and Hamed, H. H. 2004. Discovery of policy anomalies in distributed firewalls. In Proceedings of the 23rd Annual Joint Conference of the IEEE Computer and Communications Societies.
[3]
Appel, A. W. and Felten, E. W. 1999. Proof-carrying authentication. In Proceedings of the 6th ACM Conference on Computer and Communications Security.
[4]
Bartal, Y., Mayer, A. J., Nissim, K., and Wool, A. 1999. Firmato: A novel firewall management toolkit. In Proceedings of the IEEE Symposium on Security and Privacy.
[5]
Bauer, L., Cranor, L. F., Reiter, M. K., and Vaniea, K. 2007a. Lessons learned from the deployment of a smartphone-based access-control system. In Proceedings of the 3rd Symposium on Usable Privacy and Security.
[6]
Bauer, L., Garriss, S., McCune, J. M., Reiter, M. K., Rouse, J., and Rutenbar, P. 2005. Device-enabled authorization in the Grey system. In Information Security: Proceedings of the 8th International Conference, Lecture Notes in Computer Science, vol. 3650. Springer, Berlin, Germany, 63--81.
[7]
Bauer, L., Garriss, S., and Reiter, M. K. 2007b. Efficient proving for practical distributed access-control systems. In Proceedings of the 12th European Symposium on Research in Computer Security (ESORICS).
[8]
Becker, M. and Sewell, P. 2004. Cassandra: Flexible trust management, applied to electronic health records. In Proceedings of the 17th IEEE Computer Security Foundations Workshop.
[9]
Bhatti, R. and Grandison, T. 2007. Towards improved privacy policy coverage in healthcare using policy refinement. In Proceedings of the 4th VLDB Workshop on Secure Data Management.
[10]
Blaze, M., Feigenbaum, J., and Lacy, J. 1996. Decentralized trust management. In Proceedings of the IEEE Symposium on Security and Privacy.
[11]
El-Arini, K. and Killourhy, K. 2005. Bayesian detection of router configuration anomalies. In Proceedings of the ACM SIGCOMM Workshop on Mining Network Data.
[12]
Goffee, N. C., Kim, S. H., Smith, S., Taylor, P., Zhao, M., and Marchesini, J. 2004. Greenpass: Decentralized, PKI-based authorization for wireless LANs. In Proceedings of the 3rd Annual PKI Research and Development Workshop.
[13]
Hazelhurst, S., Attar, A., and Sinnappan, R. 2000. Algorithms for improving the dependability of firewall and filter rule lists. In Proceedings of the International Conference on Dependable Systems and Networks.
[14]
Jaeger, T., Edwards, A., and Zhang, X. 2003. Policy management using access control spaces. ACM Trans. Inform. Syst. Sec. 6, 3, 327--364.
[15]
Jim, T. 2001. SD3: A trust management system with certified evaluation. In Proceedings of the IEEE Symposium on Security and Privacy.
[16]
Keromytis, A. D., Ioannidis, S., Greenwald, M. B., and Smith, J. M. 2003. The STRONGMAN architecture. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition.
[17]
Kuhlmann, M., Shohat, D., and Schimpf, G. 2003. Role mining—revealing business roles for security administration using data mining technology. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT).
[18]
Le, F., Lee, S., Wong, T., Kim, H. S., and Newcomb, D. 2006. Minerals: Using data mining to detect router misconfigurations. In Proceedings of the SIGCOMM Workshop on Mining Network Data (Mine Net). 293--298.
[19]
Li, N. and Mitchell, J. C. 2003. Rt: A role-based trust-management framework. In Proceedings of the 3rd DARPA Information Survivability Conference and Exposition.
[20]
Mayer, A., Wool, A., and Ziskind, E. 2000. Fang: A firewall analysis engine. In Proceedings of the IEEE Symposium on Security and Privacy.
[21]
Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., and Lobo, J. 2008. Mining roles with semantic meanings. In Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT). 21--30.
[22]
Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., and Lobo, J. 2009. Evaluating role mining algorithms. In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT). 95--104.
[23]
Rivest, R. L. and Lampson, B. 1996. SDSI—a simple distributed security infrastructure. Presented at the International Cryptology Conference. Rump session.
[24]
Sandhu, R., Coyne, E., Feinstein, H., and Youman, C. 1996. Role-based access control models. IEEE Comp. 29, 2.
[25]
Schlegelmilch, J. and Steffens, U. 2005. Role mining with ORCA. In Proceedings of the 10th ACM Symposium on Access Control Models and Technologies (SACMAT).
[26]
Vaidya, J., Atluri, V., and Guo, Q. 2007. The role mining problem: Finding a minimal descriptive set of roles. In Proceedings of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT).
[27]
Winslett, M., Zhang, C. C., and Bonatti, P. A. 2005. PeerAccess: A logic for distributed authorization. In Proceedings of the 12th ACM Conference on Computer and Communications Security.
[28]
Wool, A. 2001. Architecting the Lumeta firewall analyzer. In Proceedings of the 10th USENIX Security Symposium.
[29]
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.-N., and Mohapatra, P. 2006. FIREMAN: A toolkit for FIREwall modeling and ANalysis. In Proceedings of the IEEE Symposium on Security and Privacy.
[30]
Yuan, Y. and Huang, T. 2005. A matrix algorithm for mining association rules. In Proceedings of the International Conference on Intelligent Computing (ICIC). Lecture Notes in Computer Science, vol. 3644, Springer, Berlin, Germany.

Cited By

View all
  • (2025)DRL-APG: Deep Reinforcement Learning Based Adaptive Policy Generation for Accurate and Secure Data Sharing in VANETsIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.350306426:2(2102-2114)Online publication date: 1-Feb-2025
  • (2025)Advancing Interoperable IoT-Based Access Control Systems: A Unified Security Approach in Diverse EnvironmentsIEEE Access10.1109/ACCESS.2025.353874813(27767-27782)Online publication date: 2025
  • (2024)SPRT: Automatically Adjusting SELinux Policy for Vulnerability MitigationProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657306(71-82)Online publication date: 24-Jun-2024
  • Show More Cited By

Index Terms

  1. Detecting and resolving policy misconfigurations in access-control systems

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Transactions on Information and System Security
        ACM Transactions on Information and System Security  Volume 14, Issue 1
        May 2011
        366 pages
        ISSN:1094-9224
        EISSN:1557-7406
        DOI:10.1145/1952982
        Issue’s Table of Contents
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 06 June 2011
        Accepted: 01 April 2010
        Revised: 01 December 2009
        Received: 01 October 2008
        Published in TISSEC Volume 14, Issue 1

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. Access control
        2. machine learning
        3. policy inference

        Qualifiers

        • Research-article
        • Research
        • Refereed

        Funding Sources

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)42
        • Downloads (Last 6 weeks)3
        Reflects downloads up to 19 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2025)DRL-APG: Deep Reinforcement Learning Based Adaptive Policy Generation for Accurate and Secure Data Sharing in VANETsIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2024.350306426:2(2102-2114)Online publication date: 1-Feb-2025
        • (2025)Advancing Interoperable IoT-Based Access Control Systems: A Unified Security Approach in Diverse EnvironmentsIEEE Access10.1109/ACCESS.2025.353874813(27767-27782)Online publication date: 2025
        • (2024)SPRT: Automatically Adjusting SELinux Policy for Vulnerability MitigationProceedings of the 29th ACM Symposium on Access Control Models and Technologies10.1145/3649158.3657306(71-82)Online publication date: 24-Jun-2024
        • (2024)Permission Governance Method Based on Separation of Responsibilities2024 IEEE 7th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC)10.1109/ITNEC60942.2024.10732997(1165-1169)Online publication date: 20-Sep-2024
        • (2023)Effective Machine Learning-based Access Control Administration through Unlearning2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW59978.2023.00011(50-57)Online publication date: Jul-2023
        • (2022)Research on Network Configuration Verification Based on Association AnalysisProceedings of the 6th International Conference on Computer Science and Application Engineering10.1145/3565387.3565404(1-6)Online publication date: 21-Oct-2022
        • (2022)Detecting and Measuring Misconfigured Manifests in Android AppsProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560607(3063-3077)Online publication date: 7-Nov-2022
        • (2022)Performance Health Index for Complex Cyber InfrastructuresACM Transactions on Modeling and Performance Evaluation of Computing Systems10.1145/35386467:1(1-32)Online publication date: 17-Aug-2022
        • (2022)A Survey on Empirical Security Analysis of Access-control Systems: A Real-world PerspectiveACM Computing Surveys10.1145/353370355:6(1-28)Online publication date: 7-Dec-2022
        • (2022)Troubleshooting Configuration Errors via Information Retrieval and Configuration Testing2022 4th International Academic Exchange Conference on Science and Technology Innovation (IAECST)10.1109/IAECST57965.2022.10062229(422-426)Online publication date: 9-Dec-2022
        • Show More Cited By

        View Options

        Login options

        Full Access

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media