ProFact: A Provenance-based Analytics Framework for Access Control Policies

Abstract Policy-based access control systems are crucial for secure information sharing in collaborative applications. How- ever, policy management needs to be flexible in order to adapt to different environments and able to support policy evolution. However, when dealing with large sets of evolving policies, it is critical that policies meet certain policy quality requirements. Policy sets must be complete, free of inconsistencies, and relevant. In this paper, we propose a framework to analyze policies to determine whether they meet such requirements. Our framework uses provenance techniques that collect comprehensive data about actions which were either triggered due to a network context or a user (i.e., a human or a device) action. Provenance data are used to determine whether the policies meet the quality requirements. The framework includes two approaches for policy analysis: structure-based and classification-based. For the structure-based approach, we designed tree structures to organize and assess the policy set efficiently. For the classification-based approach, we employed the classification techniques to learn the characteristics of policies and predict their quality. In addition, the framework supports policy evolution and the assessment of its impact on the policy quality. The analysis framework has been implemented and experimental results from the prototype are reported.
  • Amani Abu Jabal (Purdue)
  • Maryam Davari (Purdue)
  • Elisa Bertino (Purdue)
  • Christian Makaya (IBM US)
  • Seraphin Calo (IBM US)
  • Dinesh Verma (IBM US)
  • Chris Williams (Dstl)
Date Sep-2018
Venue 2nd Annual Fall Meeting of the DAIS ITA, 2018