The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - Sept.-Oct. (2012 vol.9)
pp: 655-669
Haibing Lu , Santa Clara University, Santa Clara
Jaideep Vaidya , Rutgers University, Newark
Vijayalakshmi Atluri , Rutgers University, Newark
Yuan Hong , Rutgers University, Newark
ABSTRACT
The role mining problem has received considerable attention recently. Among the many solutions proposed, the Boolean matrix decomposition (BMD) formulation has stood out, which essentially discovers roles by decomposing the binary matrix representing user-to-permission assignment (UPA) into two matrices—user-to-role assignment (UA) and permission-to-role assignment (PA). However, supporting certain embedded constraints, such as separation of duty (SoD) and exceptions, is critical to the role mining process. Otherwise, the mined roles may not capture the inherent constraints of the access control policies of the organization. None of the previously proposed role mining solutions, including BMD, take into account these underlying constraints while mining. In this paper, we extend the BMD so that it reflects such embedded constraints by proposing to allow negative permissions in roles or negative role assignments for users. Specifically, by allowing negative permissions in roles, we are often able to use less roles to reconstruct the same given user-permission assignments. Moreover, from the resultant roles we can discover underlying constraints such as separation of duty constraints. This feature is not supported by any existing role mining approaches. Hence, we call the role mining problem with negative authorizations the constraint-aware role mining problem (CRM). We also explore other interesting variants of the CRM, which may occur in real situations. To enable CRM and its variants, we propose a novel approach, extended Boolean matrix decomposition (EBMD), which addresses the ineffectiveness of BMD in its ability of capturing underlying constraints. We analyze the computational complexity for each of CRM variants and present heuristics for problems that are proven to be NP-hard.
INDEX TERMS
Matrix decomposition, Authorization, Minimization, Organizations, Vectors, Clustering algorithms, EBMD., RBAC, constraint-aware role mining
CITATION
Haibing Lu, Jaideep Vaidya, Vijayalakshmi Atluri, Yuan Hong, "Constraint-Aware Role Mining via Extended Boolean Matrix Decomposition", IEEE Transactions on Dependable and Secure Computing, vol.9, no. 5, pp. 655-669, Sept.-Oct. 2012, doi:10.1109/TDSC.2012.21
REFERENCES
[1] M.A. Al-Kahtani and R. Sandhu, "Rule-Based RBAC with Negative Authorization," Proc. 20th Ann. Computer Security Applications Conf. (ACSAC '04), pp. 405-415, 2004.
[2] E. Bertino, P. Samarati, and S. Jajodia, "Authorizations in Relational Database Management Systems," Proc. First ACM Conf. Computer and Comm. Security, pp. 130-139, 1993.
[3] E. Bertino, P. Samarati, and S. Jajodia, "An Extended Authorization Model for Relational Databases," IEEE Trans. Knowledge and Data Eng., vol. 9, no. 1, pp. 85-101, Jan./Feb. 1997.
[4] P.J. Besl and H.D. McKay, "A Method for Registration of 3-d Shapes," IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 14, no. 2, pp. 239-256, Feb. 1992.
[5] R.D. Carr, S. Doddi, G. Konjevod, and M. Marathe, "On the Red-Blue Set Cover Problem," SODA '00: Proc. 11th Ann. ACM-SIAM Symp. Discrete Algorithms, pp. 345-353, 2000.
[6] A. Colantonio, R. Di Pietro, A. Ocello, and N. Vincenzo Verde, "A Formal Framework to Elicit Roles with Business Meaning in RBAC Systems," Proc. 14th ACM Symp. Access Control Models and Technologies (SACMAT '09), pp. 85-94, 2009.
[7] E.J. Coyne, "Role Engineering," RBAC '95: Proc. First ACM Workshop Role-Based Access Control, p. 4, 1996.
[8] A. Ene, W. Horne, N. Milosavljevic, P. Rao, R. Schreiber, and R.E. Tarjan, "Fast Exact and Heuristic Methods for Role Minimization Problems," SACMAT '08: Proc. 13th ACM Symp. Access Control Models and Technologies, pp. 1-10, 2008.
[9] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D. Richard Kuhn, and R. Chandramouli, "Proposed Nist Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol. 4, pp. 224-274, Aug. 2001.
[10] M. Frank, D. Basin, and J.M. Buhmann, "A Class of Probabilistic Models for Role Engineering," Proc. 15th ACM Conf. Computer and Comm. Security, 2008.
[11] M. Frank, A.P. Streich, D. Basin, and J.M. Buhmann, "A Probabilistic Approach to Hybrid Role Mining," Proc. 16th ACM Conf. Computer and Comm. Security (CCS '09), pp. 101-111, 2009.
[12] M.P. Gallagher, A. O'Connor, and B. Kropp, "The Economic Impact of Role-Based Access Control," Planning Report 02-1, Nat'l Inst. of Standards and Tech nology, Mar. 2002.
[13] F. Geerts, B. Goethals, and T. Mielikainen, "Tiling Databases," Proc. Int'l Conf. Discovery Science, pp. 278-289, 2004.
[14] S. Jajodia, P. Samarati, M. Luisa Sapino, and V.S. Subrahmanian, "Flexible Support for Multiple Access Control Policies," ACM Trans. Database Systems, vol. 26, pp. 214-260, June 2001.
[15] T. Kanungo, D.M. Mount, N.S. Netanyahu, C.D. Piatko, R. Silverman, and A.Y. Wu, "An Efficient k-Means Clustering Algorithm: Analysis and Implementation," IEEE Trans. Pattern Analysis and Machine Intelligence, vol. 24, no. 7, pp. 881-892, July 2002.
[16] M. Kuhlmann, D. Shohat, and G. Schimpf, "Role Mining—Revealing Business Roles for Security Administration Using Data Mining Technology," SACMAT '03: Proc. Eighth ACM Symp. Access Control Models and Technologies, pp. 179-186, 2003.
[17] H. Lu, J. Vaidya, and V. Atluri, "Optimal Boolean Matrix Decomposition: Application to Role Engineering," Proc. IEEE 24th Int'l Conf. Data Eng., pp. 297-306, 2008.
[18] H. Lu, J. Vaidya, V. Atluri, and Y. Hong, "Extended Boolean Matrix Decomposition," Proc. IEEE Int'l Conf. Data Mining, 2009.
[19] H. Lu, J. Vaidya, V. Atluri, H. Shin, and L. Jiang, "Weighted Rank-One Binary Matrix Factorization," Proc. SIAM Int'l Conf. Data Mining (SDM), pp. 283-294, 2011.
[20] P. Miettinen, "The Boolean Column and Column-Row Matrix Decompositions," Data Mining Knowledge Discovery, vol. 17, no. 1, pp. 39-56, 2008.
[21] I. Molloy, H. Chen, T. Li, Q. Wang, N. Li, E. Bertino, S. Calo, and J. Lobo, "Mining Roles with Semantic Meanings," SACMAT '08: Proc. 13th ACM Symp. Access Control Models and Technologies, pp. 21-30, 2008.
[22] I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang, and J. Lobo, "Evaluating Role Mining Algorithms," Proc. SACMAT '09: 14th ACM Symp. Access Control Models and Technologies, pp. 95-104, 2009.
[23] I. Molloy, N. Li, Y. (Alan) Qi, J. Lobo, and L. Dickens, "Mining Roles with Noisy Data," Proc. 15th ACM Symp. Access Control Models and Technologies (SACMAT '10), pp. 45-54, 2010.
[24] M. Pauli, M. Taneli, G. Aristides, D. Gautam, and M. Heikki, "The Discrete Basis Problem," IEEE Trans. Knowledge and Data Eng., vol. 20, no. 10, pp. 1348-1362, Oct. 2008.
[25] R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, "Role-Based Access Control Models," Computer, vol. 29, no. 2, pp. 38-47, Feb. 1996.
[26] J. Schlegelmilch and U. Steffens, "Role Mining with Orca," SACMAT '05: Proc. 10th ACM Symp. Access Control Models and Technologies, pp. 168-176, 2005.
[27] A.P. Streich, M. Frank, D. Basin, and J.M. Buhmann, "Multi-Assignment Clustering for Boolean Data," Proc. 26th Ann. Int'l Conf. Machine Learning (ICML '09), pp. 969-976, 2009.
[28] P.-N. Tan, M. Steinbach, and V. Kumar, Introduction to Data Mining, first ed. Addison-Wesley Longman Publishing Co., Inc., 2005.
[29] J. Vaidya, V. Atluri, and Q. Guo, "The Role Mining Problem: Finding a Minimal Descriptive Set of Roles," Proc. ACM Symp. Access Control Models and Technologies (SACMAT), pp. 175-184, 2007.
[30] J. Vaidya, V. Atluri, and J. Warner, "Roleminer: Mining Roles Using Subset Enumeration," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 144-153, 2006.
[31] N. Verde, J. Vaidya, V. Atluri, and A. Colantonio, "Role Engineering: From Theory to Practice," Proc. Second ACM Conf. Data and Application Security and Privacy, 2012.
36 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool