An Approach for Handling Missing Attribute Values in Attribute-Based Access Control Policy Mining

TL;DR

This paper presents a novel method for improving ABAC policy mining by predicting missing attribute values using contextual clustering, facilitating better handling of incomplete data during migration.

Contribution

It introduces a clustering-based approach to infer missing attribute values, enhancing the accuracy and efficiency of ABAC policy mining from legacy systems.

Findings

Improves policy mining accuracy with incomplete data

Reduces costs of migrating to ABAC systems

Enhances attribute data quality for security administrators

Abstract

Attribute-Based Access Control (ABAC) enables highly expressive and flexible access decisions by considering a wide range of contextual attributes. ABAC policies use logical expressions that combine these attributes, allowing for precise and context-aware control. Algorithms that mine ABAC policies from legacy access control systems can significantly reduce the costs associated with migrating to ABAC. However, a major challenge in this process is handling incomplete entity information, where some attribute values are missing. This paper introduces an approach that enhances the policy mining process by predicting or inferring missing attribute values. This is accomplished by employing a contextual clustering technique that groups entities according to their known attributes, which are then used to analyze and refine authorization decisions. By effectively managing incomplete data, our approach provides security administrators with a valuable tool to improve their attribute data and ensure a smoother, more efficient transition to ABAC.