Learning Attribute-Based and Relationship-Based Access Control Policies with Unknown Values
This work addresses the need for cost-effective migration to more expressive access control systems in security domains, though it appears incremental as it builds on existing policy learning methods by handling unknown values.
The paper tackles the problem of learning Attribute-Based and Relationship-Based Access Control policies from legacy access control lists with incomplete entity information, where some attribute values are unknown, and presents the first algorithms for this task by framing it as learning concise three-valued logic formulas.
Attribute-Based Access Control (ABAC) and Relationship-based access control (ReBAC) provide a high level of expressiveness and flexibility that promote security and information sharing, by allowing policies to be expressed in terms of attributes of and chains of relationships between entities. Algorithms for learning ABAC and ReBAC policies from legacy access control information have the potential to significantly reduce the cost of migration to ABAC or ReBAC. This paper presents the first algorithms for mining ABAC and ReBAC policies from access control lists (ACLs) and incomplete information about entities, where the values of some attributes of some entities are unknown. We show that the core of this problem can be viewed as learning a concise three-valued logic formula from a set of labeled feature vectors containing unknowns, and we give the first algorithm (to the best of our knowledge) for that problem.