Greedy and Evolutionary Algorithms for Mining Relationship-Based Access Control Policies

TL;DR

This paper introduces two algorithms, a greedy heuristic and an evolutionary approach, for mining relationship-based access control policies from existing ACLs and attribute data, aiding migration to ReBAC systems.

Contribution

It presents the first algorithms specifically designed for mining ReBAC policies from ACLs and attribute data, combining heuristic and evolutionary methods.

Findings

Both algorithms effectively mine ReBAC policies from sample and case study data.

The evolutionary algorithm produces more accurate policies in complex scenarios.

The greedy algorithm offers faster results with acceptable accuracy.

Abstract

Relationship-based access control (ReBAC) provides a high level of expressiveness and flexibility that promotes security and information sharing. We formulate ReBAC as an object-oriented extension of attribute-based access control (ABAC) in which relationships are expressed using fields that refer to other objects, and path expressions are used to follow chains of relationships between objects. ReBAC policy mining algorithms have potential to significantly reduce the cost of migration from legacy access control systems to ReBAC, by partially automating the development of a ReBAC policy from an existing access control policy and attribute data. This paper presents two algorithms for mining ReBAC policies from access control lists (ACLs) and attribute data represented as an object model: a greedy algorithm guided by heuristics, and a grammar-based evolutionary algorithm. An evaluation of the algorithms on four sample policies and two large case studies demonstrates their effectiveness.