Detecting and resolving policy misconfigurations in access-control systems
- 1 May 2011
- journal article
- research article
- Published by Association for Computing Machinery (ACM) in ACM Transactions on Information and System Security
- Vol. 14 (1), 1-28
- https://doi.org/10.1145/1952982.1952984
Abstract
Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration, and, in the context of particular applications (e.g., health care), very severe consequences. In this article we apply association rule mining to the history of accesses to predict changes to access-control policies that are likely to be consistent with users' intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires the consent of the appropriate administrator, of course, and so a primary contribution of our work is how to automatically determine from whom to seek consent and how to minimize the costs of doing so. We show using data from a deployed access-control system that our methods can reduce the number of accesses that would have incurred costly time-of-access delays by 43%, and can correctly predict 58% of the intended policy. These gains are achieved without impacting the total amount of time users spend interacting with the system.Keywords
Funding Information
- Air Force Research Laboratory (FA87500720028)
- National Science Foundation (756998)
- Office of Naval Research (N000141010155N000141010343)
- Army Research Office (DAAD19-02-1-0389)
This publication has 15 references indexed in Scilit:
- The role mining problemPublished by Association for Computing Machinery (ACM) ,2007
- FIREMAN: a toolkit for firewall modeling and analysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2006
- PeerAccessPublished by Association for Computing Machinery (ACM) ,2005
- Role mining with ORCAPublished by Association for Computing Machinery (ACM) ,2005
- Bayesian detection of router configuration anomaliesPublished by Association for Computing Machinery (ACM) ,2005
- Device-Enabled Authorization in the Grey SystemLecture Notes in Computer Science, 2005
- A Matrix Algorithm for Mining Association RulesLecture Notes in Computer Science, 2005
- Policy management using access control spacesACM Transactions on Information and System Security, 2003
- Proof-carrying authenticationPublished by Association for Computing Machinery (ACM) ,1999
- Role-based access control modelsComputer, 1996