A data classification method for inconsistency and incompleteness detection in access control policy sets

Shaikh, Riaz Ahmed, Adi, Kamel and Logrippo, Luigi (2017) A data classification method for inconsistency and incompleteness detection in access control policy sets. International Journal of Information Security, 16 (1). pp. 91-113. ISSN 1615-5262

Full text not available from this repository. (Request a copy)

Abstract

Access control policies may contain anomalies such as incompleteness and inconsistency, which can result in security vulnerabilities. Detecting such anomalies in large sets of complex policies automatically is a difficult and challenging problem. In this paper, we propose a novel method for detecting inconsistency and incompleteness in access control policies with the help of data classification tools well known in data mining. Our proposed method consists of three phases: firstly, we perform parsing on the policy data set; this includes ordering of attributes and normalization of Boolean expressions. Secondly, we generate decision trees with the help of our proposed algorithm, which is a modification of the well-known C4.5 algorithm. Thirdly, we execute our proposed anomaly detection algorithm on the resulting decision trees. The results of the anomaly detection algorithm are presented to the policy administrator who will take remediation measures. In contrast to other known policy validation methods, our method provides means for handling incompleteness, continuous values and complex Boolean expressions. In order to demonstrate the efficiency of our method in discovering inconsistencies, incompleteness and redundancies in access control policies, we also provide a proof-of-concept implementation.

Item Type: Article
Additional Information: Funding Information: The work reported in this article was partially supported by the Natural Sciences and Engineering Research Council of Canada, PROMPT Quebec, and CA Technologies. We would like to thank Serge Mankovski of CA Technologies for having helped our effort. The authors would also like to thank all members of the Computer Security Research Lab (UQO,Canada), and Bernard Stepien for providing useful comments and suggestions. Publisher Copyright: © 2016, Springer-Verlag Berlin Heidelberg.
Uncontrolled Keywords: access control,data classification,incompleteness,inconsistency,policy validation,redundancy,software,information systems,safety, risk, reliability and quality,computer networks and communications ,/dk/atira/pure/subjectarea/asjc/1700/1712
Faculty \ School: Faculty of Science > School of Computing Sciences
Related URLs:
Depositing User: LivePure Connector
Date Deposited: 16 Aug 2022 15:31
Last Modified: 22 Oct 2022 07:54
URI: https://ueaeprints.uea.ac.uk/id/eprint/87326
DOI: 10.1007/s10207-016-0317-1

Actions (login required)

View Item View Item