[ZISC Lunch Seminar] Mining ABAC policies from sparse logs

Thu 09Mar2017

Carlos Cotrini, ETH Zurich

From 12.00 until 13.30

At CNB/F/110 (Lunch) + CNB/F/100.9 (Seminar), ETH Zurich

Universitätstrasse 6, 8092 Zurich


Different methods have been proposed to mine attribute-based access control (ABAC) rules from logs. However, in many scenarios these methods mine and validate overly permissive rules. We define a novel measure, reliability, that improves upon other standard measures like accuracy and entropy in quantifying how overly permissive a rule is. We build upon subgroup discovery algorithms and our reliability measure to design Rapsody (Reliable APriori SubgrOup DiscoverY), the first algorithm for mining ABAC rules with correctness guarantees: Rapsody mines a rule iff the rule covers a significant number of requests, its reliability is above a given threshold, and there is no equivalent shorter rule. We compare Rapsody with competing approaches on different scenarios using logs from Amazon and a major bank. Our results show that Rapsody generalizes better and produces substantially smaller rules.

Joint work with Thilo Weghorn and David Basin.

Download Event to Calendar