A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets
详细信息 查看全文
- 作者:Riaz Ahmed Shaikh ; Kamel Adi ; Luigi Logrippo
- 关键词:Policy validation ; Data classification ; Access control ; Inconsistency ; Incompleteness ; Redundancy
- 刊名:International Journal of Information Security
- 出版年:2017
- 出版时间:February 2017
- 年:2017
- 卷:16
- 期:1
- 页码:91-113
- 全文大小:
- 刊物类别:Computer Science
- 刊物主题:Data Encryption; Computer Communication Networks; Operating Systems; Coding and Information Theory; Management of Computing and Information Systems; Communications Engineering, Networks;
- 出版者:Springer Berlin Heidelberg
- ISSN:1615-5270
- 卷排序:16
文摘
Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.