The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.06 - June (2012 vol.24)
pp: 1120-1133
Alessandro Colantonio , Bay31 GmbH, Zug
Roberto Di Pietro , Università Roma Tre, Roma
Alberto Ocello , Engiweb Security, Roma
Nino Vincenzo Verde , Università Roma Tre, Roma
ABSTRACT
This paper offers a new role engineering approach to Role-Based Access Control (RBAC), referred to as visual role mining. The key idea is to graphically represent user-permission assignments to enable quick analysis and elicitation of meaningful roles. First, we formally define the problem by introducing a metric for the quality of the visualization. Then, we prove that finding the best representation according to the defined metric is a {\cal NP}-hard problem. In turn, we propose two algorithms: ADVISER and EXTRACT. The former is a heuristic used to best represent the user-permission assignments of a given set of roles. The latter is a fast probabilistic algorithm that, when used in conjunction with ADVISER, allows for a visual elicitation of roles even in absence of predefined roles. Besides being rooted in sound theory, our proposal is supported by extensive simulations run over real data. Results confirm the quality of the proposal and demonstrate its viability in supporting role engineering decisions.
INDEX TERMS
Access controls, data and knowledge visualization, mining methods and algorithms.
CITATION
Alessandro Colantonio, Roberto Di Pietro, Alberto Ocello, Nino Vincenzo Verde, "Visual Role Mining: A Picture Is Worth a Thousand Roles", IEEE Transactions on Knowledge & Data Engineering, vol.24, no. 6, pp. 1120-1133, June 2012, doi:10.1109/TKDE.2011.37
REFERENCES
[1] S. De Capitani Di Vimercati, S. Foresti, P. Samarati, and S. Jajodia, "Access Control Policies and Languages," Int'l J. Computational Science and Eng., vol. 3, no. 2, pp. 94-102, 2007.
[2] D. Ferraiolo, R.S. Sandhu, S. Gavrila, R. Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol. 4, pp. 224-274, 2001.
[3] E.J. Coyne, "Role-Engineering," Proc. ACM Workshop Role-Based Access Control (RBAC '95), pp. 15-16, 1995.
[4] I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang, and J. Lobo, "Evaluating Role Mining Algorithms," Proc. 14th ACM Symp. Access Control Models and Technologies (SACMAT '09), pp. 95-104, 2009.
[5] A. Colantonio, R. Di Pietro, A. Ocello, and N.V. Verde, "A Formal Framework to Elicit Roles with Business Meaning in RBAC Systems," Proc. 14th ACM Symp. Access Control Models and Technologies (SACMAT '09), pp. 85-94, 2009.
[6] A. Colantonio, R. Di Pietro, and A. Ocello, "A Cost-driven Approach to Role Engineering," Proc. ACM Symp. Applied Computing (SAC '08), pp. 2129-2136, 2008.
[7] M. Frank, A.P. Streich, D. Basin, and J.M. Buhmann, "A Probabilistic Approach to Hybrid Role Mining," Proc. 16th ACM Conf. Computer and Comm. Security (CCS '09), pp. 101-111, 2009.
[8] J. Vaidya, V. Atluri, and Q. Guo, "The Role Mining Problem: Finding a Minimal Descriptive Set of Roles," Proc. 12th ACM Symp. Access Control Models and Technologies (SACMAT '07), pp. 175-184, 2007.
[9] A. Colantonio, R. Di Pietro, and A. Ocello, "Leveraging Lattices to Improve Role Mining," Proc. IFIP 23rd Int'l Information Security Conf., pp. 333-347, 2008.
[10] J. Vaidya, V. Atluri, and J. Warner, "RoleMiner: Mining Roles Using Subset Enumeration," Proc. 13th ACM Conf. Computer and Comm. Security (CCS '06), pp. 144-153, 2006.
[11] R. Gupta, G. Fang, B. Field, M. Steinbach, and V. Kumar, "Quantitative Evaluation of Approximate Frequent Pattern Mining Algorithms," Proc. 14th ACM SIGKDD Int'l Conf. Knowledge Discovery and Data Mining (KDD '08), pp. 301-309, 2008.
[12] M. Frank, D. Basin, and J.M. Buhmann, "A Class of Probabilistic Models for Role Engineering," Proc. 15th ACM Conf. Computer and Comm. Security (CCS '08), pp. 299-310, 2008.
[13] Q. Guo, J. Vaidya, and V. Atluri, "The Role Hierarchy Mining Problem: Discovery of Optimal Role Hierarchies," Proc. Ann. Computer Security Applications Conf. (ACSAC), pp. 237-246, 2008.
[14] J.-D. Fekete, J.J. Wijk, J.T. Stasko, and C. North, "The Value of Information Visualization," Information Visualization: Human-Centered Issues and Perspectives, pp. 1-18, 2008.
[15] D.A. Keim, G. Andrienko, J.-D. Fekete, C. Görg, J. Kohlhammer, and G. Melançon, "Visual Analytics: Definition, Process, and Challenges," Information Visualization: Human-Centered Issues and Perspectives, vol. 4950, pp. 154-175, 2008.
[16] M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining—Revealing Business Roles for Security Administration Using Data Mining Technology," Proc. Eighth ACM Symp. Access Control Models and Technologies (SACMAT '03), pp. 179-186, 2003.
[17] A. Colantonio, R. Di Pietro, A. Ocello, and N.V. Verde, "ABBA: Adaptive Bicluster-Based Approach to Impute Missing Values in Binary Matrices," Proc. ACM Symp. Applied Computing (SAC '10), pp. 1027-1034, 2010.
[18] A. Colantonio, R. Di Pietro, A. Ocello, and N.V. Verde, "Taming Role Mining Complexity in RBAC," Computers Security, vol. 29, pp. 548-564, 2010.
[19] F. Geerts, B. Goethals, and T. Mielikäinen, "Tiling Databases," Proc. Seventh Int'l Conf. Discovery Science (DS '04), pp. 278-289, 2004.
[20] C. Chen, "Top 10 Unsolved Information Visualization Problems," IEEE Trans. Computer Graphics and Applications, vol. 25, no. 4, pp. 12-16, July 2005.
[21] C.K.-S. Leung and C.L. Carmichael, "FpViz: A Visualizer for Frequent Pattern Mining," Proc. ACM SIGKDD Workshop Visual Analytics and Knowledge Discovery (VAKD '09), pp. 30-39, 2009.
[22] R. Santamaria, R. Theron, and L. Quintales, "BicOverlapper: A Tool for Bicluster Visualization," Bioinformatics, vol. 24, no. 9, pp. 1212-1213, 2008.
[23] R. Jin, Y. Xiang, D. Fuhry, and F.F. Dragan, "Overlapping Matrix Pattern Visualization: A Hypergraph Approach," Proc. IEEE Int'l Conf. Data Mining (ICDM '08), pp. 313-322, 2008.
[24] A. Colantonio, R. Di Pietro, A. Ocello, and N.V. Verde, "A New Role Mining Framework to Elicit Business Roles and to Mitigate Enterprise Risk," Decision Support Systems, vol. 50, no. 4, pp. 715-731, 2010.
[25] A. Colantonio, R. Di Pietro, A. Ocello, and N.V. Verde, "Mining Business-Relevant RBAC States through Decomposition," Proc. Security and Privacy-Silver Linings in the Cloud, pp. 19-30, 2010.
[26] M.R. Garey, D.S. Johnson, and L. Stockmeyer, "Some Simplified NP-complete Problems," Proc. Sixth Ann. ACM Symp. Theory of Computing (STOC '74), pp. 47-63, 1974.
[27] F. Chierichetti, R. Kumar, S. Pandey, and S. Vassilvitskii, "Finding the Jaccard Median," Proc. 21st Ann. ACM-SIAM Symp. Discrete Algorithms (SODA '10), pp. 293-311, 2010.
[28] M.J. Zaki and C.-J. Hsiao, "Efficient Algorithms for Mining Closed Itemsets and Their Lattice Structure," IEEE Trans. Knowledge and Data Eng., vol. 17, no. 4, pp. 462-478, Apr. 2005.
[29] W. Hoeffding, "Probability Inequalities for Sums of Bounded Random Variables," J. Am. Statistical Assoc., vol. 58, no. 301, pp. 13-30, 1963.
14 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool