Toward More Effective Management of Attribute-Based Access Control Policies
Loading...
Authors
Davari, Maryam
Date
Type
thesis
Language
eng
Keyword
Attribute-Based Access Control Policies
Alternative Title
Abstract
Different services and applications available on the internet need secure interactions and authorization requirements. Sensitive data through web and distributed protocols also highlight the need for access control to restrict unauthorized access to resources. Attribute-Based Access Control (ABAC) is a strong option to support the authorization requirements of complex and dynamic systems in a variety of application domains. However, there is a lack of effective policy analysis mechanisms and tools for ABAC policies, which can result in issues with policy enforcement, availability, and security. Large-scale organizations are also interested in migrating to the ABAC model, but the high cost of automatic migration is a significant barrier for them. There is no commercial ABAC implementation, and the ABAC model has not been integrated with any database management systems (DBMS) or operating systems, which makes this model adoption very challenging. This thesis proposes solutions to effectively manage ABAC policies. In particular, we develop a formal tree-based policy modeling approach to facilitate the management of numerous policies and vulnerabilities, which is challenging, particularly in large and complex policy sets. We formalize policy anomalies (redundancy, inconsistency, irrelevancy, and incompleteness) for the ABAC model. We also propose anomaly mitigation techniques based on policy tree modeling and anomaly formalization to resolve ABAC policy anomalies. We develop a data classification-based technique to identify the behavior of anomalies and predict the anomaly types of new policy rules. We address the challenge of automatic policy specification and migration for organizations by developing a bottom-up policy mining technique to extract ABAC policies from access logs. The approach also employs machine learning techniques to learn ABAC policies. We propose a four-step approach that automatically converts ABAC policies for Role-Based Access Control (RBAC) systems to combine the benefits of both models. We construct trees for user and resource attributes, generate initial roles, prune the roles, and select a minimum number of the roles. The effectiveness of the proposed approaches has been demonstrated through experimental evaluations. The results demonstrate that the approaches are quite effective in managing ABAC policies.
Description
Citation
Publisher
License
Queen's University's Thesis/Dissertation Non-Exclusive License for Deposit to QSpace and Library and Archives Canada
ProQuest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.
ProQuest PhD and Master's Theses International Dissemination Agreement
Intellectual Property Guidelines at Queen's University
Copying and Preserving Your Thesis
This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner.