Qualitative Intention-aware Attribute-based Access Control Policy Refinement
Abstract
Designing access control policies is often expensive and tedious due to the heterogeneous systems, services, and diverse user demands. Although ABAC policy and decision engine creation methods based on machine learning have been proposed, they cannot make good access decisions for applications and situations not envisioned by the decision-makers who provide training examples. It results in over-and under-permissiveness. In this paper, we propose a framework that refines pre-developed policies. It creates a decision engine that makes better decisions than those policies. Inspired by multiple criteria decision theory, our method uses the policy manager's qualitative intentions behind their judgments to guide access decisions so that more benefits are expected. In the evaluation, we prepare a coarse and relatively elaborate policy. We refine the coarse policy to obtain a decision engine that is compared for the similarity in access decisions with the elaborate policy using AUC as a measure. The results show that our method improves the coarse policy by a difference of 12-26% in AUC and outperforms the conventional machine learning methods by a difference of 3-11% in AUC. Show more
Publication status
publishedExternal links
Book title
SACMAT '23: Proceedings of the 28th ACM Symposium on Access Control Models and TechnologiesPages / Article No.
Publisher
Association for Computing MachineryEvent
Subject
actionable ai; decision theory; abac policy; machine learningOrganisational unit
03975 - Perrig, Adrian / Perrig, Adrian
More
Show all metadata
ETH Bibliography
yes
Altmetrics