Link to the University of Pittsburgh Homepage
Link to the University Library System Homepage Link to the Contact Us Form

Towards automatic attribute-based access control policy design and management for highly dynamic environments

Karimi, Leila (2022) Towards automatic attribute-based access control policy design and management for highly dynamic environments. Doctoral Dissertation, University of Pittsburgh. (Unpublished)

PDF (Final Version)
Download (4MB) | Preview


With the rapid advances in computing and information technologies, traditional access control models have become inadequate in terms of capturing fine-grained, and expressive security requirements of newly emerging applications. An attribute-based access control (ABAC) model provides a more flexible approach to addressing the authorization needs of complex and dynamic systems. An ABAC model grants access to a requester based on attributes of entities in a system and an authorization policy; however, its generality and flexibility come with higher costs: the costs of policy development, enforcement, and maintenance. Hence, while organizations are interested in employing newer authorization models, migrating to such models poses a significant challenge. Many large-scale businesses need
to grant authorizations to their user populations that are potentially distributed across disparate and heterogeneous computing environments. Each of these computing environments
may have its own access control (AC) model. The manual development of a single policy framework for an entire organization is tedious, costly, and error-prone. Further, the increasing complexities of organizational systems and the need for federated access to their resources make the task of AC enforcement and management much more challenging. In addition, policy misconfigurations that hinder the effectiveness of AC systems expose an organization to various security threats.

In this dissertation, we propose approaches and methods that facilitate ABAC policy Design and management. In particular, (i) we propose a methodology for automatically learning ABAC policy rules from access logs of a system to simplify the policy development process. The proposed approach employs a clustering-based algorithm for detecting patterns in access logs and extracting ABAC authorization rules from these patterns. In addition, we propose two policy improvement algorithms, including rule pruning and policy refinement
algorithms to generate a higher quality mined policy. Further, (ii) we propose an adaptive ABAC policy learning approach to automate the authorization management task. We model ABAC policy learning as a reinforcement learning problem. In particular, we propose a contextual bandit system, in which an authorization engine adapts an ABAC model through a feedback control loop; it relies on interaction with users/administrators of the system to
receive their feedback that assists the model in making authorization decisions. We propose four methods for initializing the learning model and a planning approach based on attribute value hierarchy to accelerate the learning process. In addition, (iii) we propose a machine
learning based approach for detecting ABAC policy misconfiguration and refining ABAC policy rules in order to enhance the quality of policy and prevent system exploitation. We then evaluate our proposed methods and approaches by implementing a prototype of the
ABAC policy extraction method, the adaptive ABAC policy learning framework, and the ABAC policy misconfiguration detection and tuning approach.


Social Networking:
Share |


Item Type: University of Pittsburgh ETD
Status: Unpublished
CreatorsEmailPitt UsernameORCID
Karimi, Leilalek86@pitt.edulek86
ETD Committee:
TitleMemberEmail AddressPitt UsernameORCID
Thesis AdvisorJoshi, Jamesjjoshi@pitt.edujjoshi
Committee CoChairAbdelhakim, MaiMAIA@pitt.eduMAIA
Committee MemberKarimi, HassanHKARIMI@pitt.eduHKARIMI
Committee ChairPalanisamy, BalajiBPALAN@pitt.eduBPALAN
Date: 6 September 2022
Date Type: Publication
Defense Date: 27 May 2022
Approval Date: 6 September 2022
Submission Date: 4 August 2022
Access Restriction: No restriction; Release the ETD for access worldwide immediately.
Number of Pages: 128
Institution: University of Pittsburgh
Schools and Programs: School of Computing and Information > Information Science
Degree: PhD - Doctor of Philosophy
Thesis Type: Doctoral Dissertation
Refereed: Yes
Uncontrolled Keywords: Access Control, Attribute Based Access Control, ABAC, Policy Learning,
Date Deposited: 06 Sep 2022 20:34
Last Modified: 06 Sep 2022 20:34


Monthly Views for the past 3 years

Plum Analytics

Actions (login required)

View Item View Item