基于深度学习的ABAC访问控制策略自动化生成技术

doi:10.11959/j.issn.1000-436X.2020212

Abstract

Abstract:

To solve the problem of automatic generation of access control policies, an access control policy generation framework based on deep learning was proposed.Access control policy based on attributes could be generated from natural language texts.This technology could significantly reduce the time cost of access control policy generation and provide effective support for the implementation of access control.The policy generation problem was decomposed into two core tasks, identification of access control policy sentence and access control attribute mining.Neural network models such as BiGRU-CNN-Attention and AM-BiLSTM-CRF were designed respectively to realize identification of access control policy sentence and access control attribute mining, so as to generate readable and executable access control policies.Experimental results show that the proposed method has better performance than the benchmark method.In particular, the average F1-score index can reach 0.941 in the identification task of access control policy sentence, which is 4.1% better than the current state-of-the-art method.

Key words: access control, ABAC model, policy generation, natural language processing, deep learning

CLC Number:

TP309

Aodi LIU, Xuehui DU, Na WANG, Rui QIAO. ABAC access control policy generation technique based on deep learning[J]. Journal on Communications, 2020, 41(12): 8-20.

Figures/Tables 16

方法	数据集		性能
方法	数据集	Precision	Recall	F1-score
文献[26]	iTrust、IBM App	0.887	0.894	0.891
文献[27]	iTrust	0.873	0.908	0.890
文献[28]	iTrust、IBM App、Cyberchair、Collected ACP	0.830	0.874	0.852
文献[19]	iTrust、IBM App、Cyberchair、Collected ACP	0.900	0.900	0.900
文献[31]	iTrust、IBM App、Cyberchair、Collected ACP	0.813	0.742	0.775
文献[30]	iTrust、IBM App、Cyberchair	0.583	0.863	0.657
文献[29]	iTrust、IBM App、Cyberchair	0.635	0.863	0.698
本文所提方法	iTrust、IBM App、Cyberchair、Collected ACP	$0 . 942$	$0 . 941$	$0 . 941$

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
BiLSTM	0.783 3	0.783 3	0.783 3	0.843 6	0.804 2	0.823 4	0.706 7	0.868 9	0.779 4
CNN_LSTM	0.717 0	0.666 7	0.690 9	0.830 3	0.830 1	0.827 2	0.626 5	0.787 9	0.698 0
本文所提方法	$0 . 7857$	$0 . 8302$	$0 . 8073$	$0 . 8676$	$0 . 8814$	$0 . 8730$	$0 . 7910$	$0 . 8983$	$0 . 8413$

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
BiLSTM	0.875 5	$0 . 8965$	$0 . 8858$	0.850 7	0.866 4	0.858 4	0.786 2	$0 . 8440$	0.814 1
CNN_LSTM	0.804 6	0.768 7	0.786 2	$0 . 9724$	0.520 3	0.661 2	0.709 1	0.799 4	0.748 6
本文所提方法	$0 . 9024$	0.868 0	0.884 8	0.885 0	$0 . 9287$	$0 . 9064$	$0 . 8182$	0.831 7	$0 . 8249$

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
OB	0.723 2	0.800 7	0.760 0	0.835 5	0.811 0	0.823 0	0.696 0	0.882 4	0.778 1
$O B M$	$0 . 7857$	$0 . 8302$	$0 . 8073$	$0 . 8676$	$0 . 8814$	$0 . 8730$	$0 . 7910$	$0 . 8983$	$0 . 8413$

方法		主体属性			动作属性			客体属性
方法	Precision	Recall	F1-score	Precision	Recall	F1-score	Precision	Recall	F1-score
OB	0.805 5	0.777 0	0.791 0	0.802 0	0.831 0	0.816 2	0.699 0	0.844 8	0.765 0
$O B M$	$0 . 9024$	$0 . 8680$	$0 . 8848$	$0 . 8850$	$0 . 9287$	$0 . 9064$	$0 . 8182$	0.831 7	$0 . 8249$

References 36

[1]	冯登国, 张敏, 李昊 . 大数据安全与隐私保护[J]. 计算机学报, 2014,37(1): 246-258.
	FENG D G , ZHANG M , LI H . Big data security and privacy protection[J]. Chinese Journal of Computers, 2014,37(1): 246-258.
[2]	房梁, 殷丽华, 郭云川 ,等. 基于属性的访问控制关键技术研究综述[J]. 计算机学报, 2017,40(7): 1680-1698.
	FANG L , YIN L H , GUO Y C ,et al. A survey of key technologies in attribute-based access control scheme[J]. Chinese Journal of Computers, 2017,40(7): 1680-1698.
[3]	SERVOS D , OSBORN S L . Current research and open problems in attribute-based access control[J]. ACM Computing Surveys, 2017,49(4): 1-45.
[4]	XIN J , KRISHNAN R , SANDHU R . A unified attribute-based access control model covering DAC,MAC and RBAC[C]// Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy. Berlin:Springer, 2012: 41-55.
[5]	HU V , KUHN D , FERRAIOLO D . Attribute-based access control[J]. Computer, 2015,48(2): 85-88.
[6]	BUI T , STOLLER S D , LI J . Greedy and evolutionary algorithms for mining relationship-based access control policies[J]. Computers ＆ Security, 2019,80: 317-333.
[7]	SANDERS M W , YUE C . Mining least privilege attribute based access control policies[C]// Annual Computer Security Applications Conference. New York:ACM Press, 2019: 404-416.
[8]	VAIDYA J , ATLURI V , WARNER J ,et al. Role engineering via prioritized subset enumeration[J]. IEEE Transactions on Dependable ＆ Secure Computing, 2010,7(3): 300-314.
[9]	BAUMGRASS A , STREMBECK M . Bridging the gap between role mining and role engineering via migration guides[J]. Information Security Technical Report, 2013,17(4): 148-172.
[10]	HARIKA P , NAGAJYOTHI M , JOHN J C ,et al. Meeting cardinality constraints in role mining[J]. IEEE Transactions on Dependable ＆Secure Computing, 2015,12(1): 71-84.
[11]	NEUMANN G , STREMBECK M . A scenario-driven role engineering process for functional RBAC roles[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2002: 33-42.
[12]	DAS S , SURAL S , VAIDYA J ,et al. VisMAP:visual mining of attribute-based access control policies[C]// International Conference on Information Systems Security. Berlin:Springer, 2019: 79-98.
[13]	TALUKDAR T , BATRA G , VAIDYA J ,et al. Efficient bottom-up mining of attribute based access control policies[C]// IEEE 3rd International Conference on Collaboration and Internet Computing. Piscataway:IEEE Press, 2017: 339-348.
[14]	KARIMI L , JOSHI J . An unsupervised learning based approach for mining attribute based access control policies[C]// International Conference on Big Data. Piscataway:IEEE Press, 2018: 1427-1436.
[15]	COTRINI C , WEGHORN T , BASIN D . Mining ABAC rules from sparse logs[C]// IEEE European Symposium on Security and Privacy. Piscataway:IEEE Press, 2018: 31-46.
[16]	GAUTAM M , JHA S , SURAL S ,et al. Poster:constrained policy mining in attribute based access control[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2017: 121-123.
[17]	IYER P , MASOUMZADEH A . Mining positive and negative attribute-based access control policy rules[C]// Symposium on Access Control Models and technologies. New York:ACM Press, 2018: 161-172.
[18]	KUHLMANN M , SHOHAT D , SCHIMPF G ,et al. Role mining-revealing business roles for security administration using data mining technology[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2003: 179-186.
[19]	NAROUEI M , KHANPOUR H , TAKABI H . Identification of access control policy sentences from natural language policy documents[C]// IFIP Annual Conference on Data and Applications Security and Privacy. Berlin:Springer, 2017: 82-100.
[20]	NAROUEI M , TAKABI H , NIELSEN R D . Automatic extraction of access control policies from natural language documents[J]. IEEE Transactions on Dependable and Secure Computing, 2018,17(3): 1.
[21]	XU Z , STOLLER S D . Mining attribute-based access control policies[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(5): 533-545.
[22]	MOCANU D C , TURKMEN F , LIOTTA A . Towards ABAC policy mining from logs with deep learning[C]// In Proceedings of International Multi Conference. Piscataway:IEEE Press, 2015: 10-16.
[23]	HE Q,ANTóN A I . Requirements-based access control analysis and policy specification (ReCAPS)[J]. Information ＆ Software Technology, 2009,51(6): 993-1009.
[24]	SHI L L , CHADWICK D W . A controlled natural language interface for authoring access control policies[C]// Applied Computing. New York:ACM Press, 2011: 1524-1530.
[25]	SCHWITTER R , . Controlled natural languages for knowledge representation[C]// International Conference on Computational Linguistics. New York:ACM Press, 2010: 1113-1121.
[26]	XIAO X , PARADKAR A , THUMMALAPENTA S ,et al. Automated extraction of security policies from natural-language software documents[C]// ACM Sigsoft International Symposium on the Foundations of Software Engineering. New York:ACM Press, 2012: 1-11.
[27]	SLANKAS J , WILLIAMS L . Access control policy extraction from unconstrained natural language text[C]// 2013 International Conference on Social Computing. New York:ACM Press, 2013: 435-440.
[28]	SLANKAS J , XIAO X , WILLIAMS L ,et al. Relation extraction for inferring access control rules from natural language artifacts[C]// Proceedings of the 30th Annual Computer Security Applications Conference. New York:ACM Press, 2014: 366-375.
[29]	NAROUEI M , TAKABI H . Automatic top-down role engineering framework using natural language processing techniques[C]// International Conference Information Security Theory and Practice. New York:ACM Press, 2015: 137-152.
[30]	NAROUEI M , TAKABI H . Towards an automatic top-down role engineering approach using natural language processing techniques[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2015: 157-160.
[31]	NAROUEI M , KHANPOUR H , TAKABI H ,et al. Towards a top-down policy engineering framework for attribute-based access control[C]// Symposium on Access Control Models and Technologies. New York:ACM Press, 2017: 103-114.
[32]	ALOHALY M , TAKABI H , BLANCO E ,et al. A deep learning approach for extracting attributes of ABAC policies[C]// Symposium on Access Control models and Technologies. New York:ACM Press, 2018: 137-148.
[33]	ALOHALY M , TAKABI H , BLANCO E . Automated extraction of attributes from natural language attribute-based access control (ABAC) policies[J]. Cybersecurity, 2019,2(1): 2-12.
[34]	BROSSARD D , GEBEL G , BERG M . A systematic approach to implementing ABAC[C]// Proceedings of the 2nd ACM Workshop on Attribute-Based Access Control. New York:ACM Press, 2017: 53-59.
[35]	DEVLIN J , CHANG M , LEE K ,et al. BERT模型:pre-training of deep bidirectional transformers for language understanding[C]// North American Chapter of the Association for Computational Linguistics. Virginia:NAACL, 2019: 4171-4186.
[36]	LUO X , ZHOU W , WANG W ,et al. Attention-based relation extraction with bidirectional gated recurrent unit and highway network in the analysis of geological data[J]. IEEE Access, 2018,6: 5705-5715.

Metrics

Recommended 0

No Suggested Reading articles found!

编号	标记符号	标记类别
1	/O	无关属性
2	/B_subject_attribute	主体属性起初位置
3	/M_subject_attribute	主体属性非起初位置
4	/B_action_attribute	动作属性起初位置
5	/M_action_attribute	动作属性非起初位置
6	/B_object_attribute	客体属性起初位置
7	/M_object_attribute	客体属性非起初位置

数据集	领域	ACP语句数目/条	Non-ACP语句数目/条	总数/条
iTrust	Healthcare	967	664	1 631
IBM App	Education	169	232	401
Cyberchair	Conference	140	163	303
Collected ACP	Multiple	125	17	142
总数	—	1 401	1 076	2 477

ABAC access control policy generation technique based on deep learning

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 36

Related Articles 15

Metrics

Recommended 0

[1]	Dongyu CHEN, Hua CHEN, Limin FAN, Yifang FU, Jian WANG. Research on test strategy for randomness based on deep learning [J]. Journal on Communications, 2023, 44(6): 23-33.
[2]	Rongpeng LI, Bingyan WANG, Honggang ZHANG, Zhifeng ZHAO. Design of knowledge enhanced semantic communication receiver [J]. Journal on Communications, 2023, 44(6): 70-76.
[3]	Shuai MA, Ke PEI, Huayan QI, Hang LI, Wen CAO, Hongmei WANG, Hailiang XIONG, Shiyin LI. Research on geomagnetic indoor high-precision positioning algorithm based on generative model [J]. Journal on Communications, 2023, 44(6): 211-222.
[4]	Wei JIN, Fenghua LI, Mingjie YU, Yunchuan GUO, Ziyan ZHOU, Liang FANG. HDFS-oriented cryptographic key resource control mechanism [J]. Journal on Communications, 2022, 43(9): 27-41.
[5]	Jie YANG, Biao DONG, Xue FU, Yu WANG, Guan GUI. Lightweight decentralized learning-based automatic modulation classification method [J]. Journal on Communications, 2022, 43(7): 134-142.
[6]	Xiuzhang YANG, Guojun PENG, Zichuan LI, Yangqi LYU, Side LIU, Chenguang LI. Research on entity recognition and alignment of APT attack based on Bert and BiLSTM-CRF [J]. Journal on Communications, 2022, 43(6): 58-70.
[7]	Yong LIAO, Shiyi WANG. CSI feedback algorithm based on RM-Net for massive MIMO systems in high-speed mobile environment [J]. Journal on Communications, 2022, 43(5): 166-176.
[8]	Yurong LIAO, Haining WANG, Cunbao LIN, Yang LI, Yuqiang FANG, Shuyan NI. Research progress of deep learning-based object detection of optical remote sensing image [J]. Journal on Communications, 2022, 43(5): 190-203.
[9]	Zenghua ZHAO, Yuefan TONG, Jiayang CUI. Device-independent Wi-Fi fingerprinting indoor localization model based on domain adaptation [J]. Journal on Communications, 2022, 43(4): 143-153.
[10]	Yong LIAO, Gang CHENG, Yujie LI. CSI feedback algorithm based on deep unfolding for massive MIMO systems [J]. Journal on Communications, 2022, 43(12): 77-88.
[11]	Xueyuan DUAN, Yu FU, Kun WANG, Bin LI. LDoS attack detection method based on simple statistical features [J]. Journal on Communications, 2022, 43(11): 53-64.
[12]	Junyan HUO, Ruipeng QIU, Yanzhuo MA, Fuzheng YANG. Reference frame list optimization algorithm in video coding by quality enhancement of the nearest picture [J]. Journal on Communications, 2022, 43(11): 136-147.
[13]	Haiyan KANG, Yuanrui JI. Research on federated learning approach based on local differential privacy [J]. Journal on Communications, 2022, 43(10): 94-105.
[14]	Hongxia ZHANG, Qi WANG, Dengyue WANG, Ben WANG. Honeypot contract detection of blockchain based on deep learning [J]. Journal on Communications, 2022, 43(1): 194-202.
[15]	Yan YAN, Yiming CONG, Mahmood Adnan, Quanzheng SHENG. Statistics release and privacy protection method of location big data based on deep learning [J]. Journal on Communications, 2022, 43(1): 203-216.