TY - GEN
T1 - Automated inference of access control policies For web applications
AU - Le, Ha Thanh
AU - Nguyen, Cu D.
AU - Briand, Lionel
AU - Hourte, Benjamin
N1 - Publisher Copyright:
© Copyright 2015 ACM.
PY - 2015/6/1
Y1 - 2015/6/1
N2 - In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on prespecified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.
AB - In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on prespecified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.
KW - Access control policies
KW - Inference
KW - Machine learning
UR - http://www.scopus.com/inward/record.url?scp=84957645275&partnerID=8YFLogxK
U2 - 10.1145/2752952.2752969
DO - 10.1145/2752952.2752969
M3 - Conference contribution
AN - SCOPUS:84957645275
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 27
EP - 37
BT - SACMAT 2015 - Proceedings of the 20th ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 20th ACM Symposium on Access Control Models and Technologies, SACMAT 2015
Y2 - 1 June 2015 through 3 June 2015
ER -