基于谱聚类的访问控制异常权限配置挖掘机制

doi:10.11959/j.issn.1000-436x.2017285

Abstract

Abstract:

Migrating traditional access control,such as mandatory and discretionary access control,into role-based access control(RBAC)lightens a practical way to improve the user-permission management efficiency.To guarantee the security of RBAC system,it is important to generate proper roles during the migration.However,abnormal user-permission configurations lead to wrong roles and cause tremendous security risks.To hunt the potential abnormal user-permission configurations,a novel spectral clustering based abnormal configuration hunting framework was proposed and recommendations were given to correct these configurations.Experimental results show its performance over existing solutions.

Key words: access control, abnormal configurations, spectral clustering

CLC Number:

TP309.2

Liang FANG,Li-hua YIN,Feng-hua LI,Bin-xing FANG. Spectral-clustering-based abnormal permission assignments hunting framework[J]. Journal on Communications, 2017, 38(12): 63-72.

Figures/Tables 11

References 24

[1]	ZHANG D , RAMAMOHANARAO K , EBRINGER T ,et al. Permission set mining:discovering practical and useful roles[C]// The 24th Annual Computer Security Applications Conference. 2008: 247-256.
[2]	YOUNIS Y A , KIFAYAT K , MERABTI M . An access control model for cloud computing[J]. Journal of Information Security and Applications, 2014,19(1): 45-60.
[3]	李凤华, 王彦超, 殷丽华 ,等. 面向网络空间的访问控制模型[J]. 通信学报, 2016,37(5): 9-20.
	LI F H , WANG Y C , YIN L H ,et al. Novel cyberspace-oriented access control model[J]. Journal on Communications, 2016,37(5): 9-20.
[4]	YU X , XU P , ZHANG T ,et al. Research and implementation of role-based access control model of fundamental spatial database system of Jilin water resources[C]// The 2013 International Conference on Information System and Engineering Management. 2013: 83-86.
[5]	WANG Y C , LI F H , XIONG J B ,et al. Achieving lightweight and secure access control in multi-authority cloud[C]// The 14th IEEE International Conference on Trust,Security and Privacy in Computing and Communications. 2015: 459-466.
[6]	VAIDYA J , ATLURI V , GUO Q . The role mining problem:a formal perspective[J]. ACM Transactions on Information and System Security, 2010,13(3).
[7]	MOLLOY I , LI N.H , QI A ,et al. Mining roles with noisy data[C]// The 15th ACM Symposium on Access Control Models and Technologies. 2010: 45-54.
[8]	BAUER L , GARRISS S , REITER M.K . Detecting and resolving policy misconfigurations in access-control systems[J]. ACM Transactions on Information and System Security, 2011,14(1).
[9]	DAS T , BHAGWAN R , NALDURG P . Baaz:a system for detecting access control misconfigurations[C]// The 19th USENIX Security Symposium. 2010: 161-176.
[10]	SCHLEGELMILCH J , STEFFENS U . Role mining with Oracle[C]// The 10th ACM Symposium on Access Control Models and Technologies. 2005: 168-176.
[11]	VAIDYA J , ATLURI V , WARNER J . Roleminer:mining roles using subset enumeration[C]// The 13th ACM Conference on Computer and Communications Security. 2006: 144-153.
[12]	MOLLOY I , CHEN H , LI T et al . Mining roles with semantic meanings[C]// The 13th ACM Symposium on Access Control Models and Technologies. 2008: 21-30.
[13]	FRANK M , BUHMAN J M , BASIN D . Role mining with probabilistic model[J]. ACM Transactions on Information and System Security, 2013,15(4).
[14]	HARIKA P , NAGAJYOTHI M , JOHN J C ,et al. Meeting cardinality constraints in role mining[J]. IEEE Transactions on Dependable and Secure Computing, 2015,12(1): 71-84.
[15]	JAFARIAN J H , TAKABI H , TOUATI H ,et al. Towards a general framework for optimal role mining:a constraint satisfaction approach[C]// The 20th ACM Symposium on Access Control Models and Technologies. 2015: 211-220.
[16]	LUXBURG U V . A tutorial on spectral clustering[J]. Statistics and Computing, 2007,17(4): 395-416.
[17]	ZELNIK-MANOR L . Self-tuning spectral clustering[J]. Advances in Neural Information Processing Systems, 2004,14: 1601-1608.
[18]	YAN J , CHENG D , ZONG M ,et al. Improved spectral clustering algorithm based on similarity measure[C]// The 10th International Conference on Advanced Data Mining and Applications. 2014: 641-654.
[19]	GHOSHDASTIDAR D , DUKKIPATI A . Spectral clustering using multilinear svd:Analysis,approximations and applications[C]// The 29th Conference on Artificial Intelligence. 2015: 2610-2616.
[20]	LU H , FU Z , SHU X . Non-negative and sparse spectral clustering[J]. Pattern Recognition, 2014,47(1): 418-426.
[21]	孔万增, 孙志海, 杨灿 ,等. 基于本征间隙与正交特征向量的自动谱聚类[J]. 电子学报, 2010,38(8): 1880-1885.
	KONG W Z , SUN Z H , YANG C ,et al. Automatic spectral clustering based on eigengap and orthogonal eigenvector[J]. Acta Electronica Sinica, 2010,38(8): 1880-1885.
[22]	STOLLER S D , YANG P , RAMAKRISHNAN C R ,et al. Efficient policy analysis for administrative role based access control[C]// The 2007 ACM Conference on Computer and Communications Security. 2007: 445-455.
[23]	ENE A , HORNE W , MILOSAVLJEVIC N ,et al. Fast exact and heuristic methods for role minimization problems[C]// The 13th ACM Symposium on Access Control Models and Technologies. 2008: 1-10.
[24]	YIN L , FANG L , NIU B ,et al. Hunting abnormal configurations for permission-sensitive role mining[C]// The 2016 IEEE Military Communications Conference. 2016: 1004-1009.

Metrics

Recommended 0

No Suggested Reading articles found!

用户	P1	P2	P3	P4	P5	P6	P7	P8	P9
A	1	1	1	1	0	0	0	0	0
B	1	1	1	1	1	0	0	0	0
C	1	1	1	1	0	0	0	0	0
D	1	1	1	1	0	0	0	0	0
E	1	1	1	1	0	0	0	0	0

用户	P1	P2	P3	P4	P5	P6	P7	P8	P9
A	1	1	1	1	0	1	0	0	0
B	1	1	1	1	0	1	0	0	0
C	1	1	1	1	0	0	0	0	0
D	1	1	1	1	0	1	0	0	0
E	1	1	1	1	0	1	0	0	0

数据集	用户个数	权限个数
Healthcare	46	46
University	493	56
Emea	35	3 046
Firewall1	365	1 417
Firewall2	325	1 179

数据集	初始异常配置数		对比算法	最终异常配置数
数据集	P_add	N_add	对比算法	P_left	N_left
			文献[7]算法（SVD）	35	18
			文献[7]算法（NMF）	28	30
University	197	23	文献[7]算法（BNMF）	30	16
			文献[7]算法（LPCA）	20	22
			文献[24]算法（PSRM）	16	14
			本文算法	6	14

Spectral-clustering-based abnormal permission assignments hunting framework

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 24

Related Articles 15

Metrics

Recommended 0

[1]	Wei JIN, Fenghua LI, Mingjie YU, Yunchuan GUO, Ziyan ZHOU, Liang FANG. HDFS-oriented cryptographic key resource control mechanism [J]. Journal on Communications, 2022, 43(9): 27-41.
[2]	Jing ZHAO, Jun LI, Chun LONG, Wei WAN, Jinxia WEI, Kai CHEN. Unsupervised detection method of RoQ covert attacks based on multilayer features [J]. Journal on Communications, 2022, 43(9): 224-239.
[3]	Jiangtao DONG, Peiwen YAN, Ruizhong DU. Verifiable access control scheme based on unpaired CP-ABE in fog computing [J]. Journal on Communications, 2021, 42(8): 139-150.
[4]	Changgen PENG, Zongfeng PENG, Hongfa DING, Youliang TIAN, Rongfei LIU. Attribute-based revocable collaborative access control scheme [J]. Journal on Communications, 2021, 42(5): 75-86.
[5]	Zuobin YING, Yuanping SI, Jianfeng MA, Ximeng LIU. Blockchain-based distributed EHR fine-grained traceability scheme [J]. Journal on Communications, 2021, 42(5): 205-215.
[6]	Ruizhong DU, Peiwen YAN, Yan LIU. Fine-grained attribute update and outsourcing computing access control scheme in fog computing [J]. Journal on Communications, 2021, 42(3): 160-170.
[7]	Jiawei ZHANG, Jianfeng MA, Zhuo MA, Teng LI. Time-based and privacy protection revocable and traceable data sharing scheme in cloud computing [J]. Journal on Communications, 2021, 42(10): 81-94.
[8]	Tianyi ZHU,Fenghua LI,Wei JIN,Yunchuan GUO,Liang FANG,Lin CHENG. Cross-domain access control policy mapping mechanism for balancing interoperability and autonomy [J]. Journal on Communications, 2020, 41(9): 29-48.
[9]	Qinglei ZHOU,Shaohuan BAN,Yingjie HAN,Feng FENG. Mimic defense authentication method for physical access control [J]. Journal on Communications, 2020, 41(6): 80-87.
[10]	Chunfu JIA,Guanxiong HA,Ruiqi LI. Data access control policy of encrypted deduplication system [J]. Journal on Communications, 2020, 41(5): 72-83.
[11]	Yonggui FU,Jianming ZHU. Design for database access control mechanism based on blockchain [J]. Journal on Communications, 2020, 41(5): 130-140.
[12]	Zheng GUAN,Lei XIONG,Yao JIA,Min HE,Zhijun YANG. Research on scheduled WLAN MAC protocol with failure retries on RoF-DAS architecture [J]. Journal on Communications, 2020, 41(3): 102-111.
[13]	Zhen LIU,Na’na WANG,Xiaodong WANG,Yongqi SUN. Spectral clustering and embedding-enhanced POI recommendation in location-based social network [J]. Journal on Communications, 2020, 41(3): 197-206.
[14]	Rongna XIE,Hui LI,Guozhen SHI,Yunchuan GUO. Attribute-based lightweight reconfigurable access control policy [J]. Journal on Communications, 2020, 41(2): 112-122.
[15]	Aodi LIU, Xuehui DU, Na WANG, Rui QIAO. ABAC access control policy generation technique based on deep learning [J]. Journal on Communications, 2020, 41(12): 8-20.