Role Mining Scheme with Abnormal Permission Configuration

doi:10.3969/j.issn.1671-1122.2022.11.002

Abstract

Abstract:

Role mining is a common method to build RBAC system. However, the current role mining schemes don’t detect the abnormal permission configuration in the original system, so that the result of role mining may contain the wrong role permission configuration, which brings security risks to the system. To solve the above problem, role mining scheme tolerating abnormal permission configuration is proposed. First, Canopy preclustering is introduced to reduce the subsequent spectral clustering calculation in the user clustering part by extracting the subset overlapping data. Then, the initial value selection of spectral clustering was optimized by combining the preclustering results, and the distance of Canopy preclustering and spectral clustering was measured by combining Jakard distance and Hamming distance, aiming at the characteristics that access control data are represented by Boolean values, so as to improve user clustering effect. Finally, the abnormal permission configuration detection rules are refined, and the modified user clustering results are used for role mining. Experimental results show that the scheme can find abnormal permission configuration effectively and improve the efficiency of role mining.

Key words: role mining, Canopy preclustering, spectral clustering, abnormal permission configuration detection

CLC Number:

TP309

SHEN Zhuowei, FAN Linli, HUA Tong, WANG Kexiang. Role Mining Scheme with Abnormal Permission Configuration[J]. Netinfo Security, 2022, 22(11): 7-16.

Figures/Tables 16

References 17

[1]	MITRA B, SURAL S, VAIDYA J, et al. A Survey of Role Mining[J]. ACM Computing Surveys, 2016, 48(4): 1-37.
[2]	LIU Zhengtao, GU Wen, XIA Jinyue. Review of Access Control Model[J]. Journal of Cyber Security, 2019, 1(1): 43-50.
[3]	LI Hao, ZHANG Min, FENG Dengguo, et al. Research on Access Control of Big Data[J]. Chinese Journal of Computers, 2017, 40(1): 72-91.
	李昊, 张敏, 冯登国, 等. 大数据访问控制研究[J]. 计算机学报, 2017, 40(1):72-91.
[4]	BAI Wei, PAN Zhisong, GUO Shize, et al. RMMDI: A Novel Framework for Role Mining Based on the Multi-Domain Information[EB/OL]. (2019-06-11)[2022-05-11]. .
[5]	KUHLMANN M, SHOHAT D, SCHIMPF G. Role Mining-Revealing Business Roles for Security Administration Using Data Mining Technology[C]// ACM. 8th ACM Symposium on Access Control Models and Technologies. New York: ACM, 2003: 179-186.
[6]	YUAN Xuebin, LI Wenping, LIU Shengcheng, et al. Role Mining Algorithm in RBAC[J]. Communications Technology, 2020, 53(8): 1994-2001.
	袁学斌, 李文萍, 刘生成, 等. RBAC中角色挖掘算法研究[J]. 通信技术, 2020, 53(8):1994-2001.
[7]	BLUNDO C, CIMATO S, SINISCALCHI L. Role Mining Heuristics for Permission-Role-Usage Cardinality Constraints[J]. The Computer Journal, 2022, 65(6): 1386-1411. doi: 10.1093/comjnl/bxaa186 URL
[8]	WANG Jingyu, CUI Yongjiao, TAN Yuesheng. Role Mining Algorithm Based on Double Cardinality Constraints[J]. Computer Engineering and Design, 2020, 41(6): 1599-1604.
	王静宇, 崔永娇, 谭跃生. 基于双重约束的角色挖掘算法[J]. 计算机工程与设计, 2020, 41(6):1599-1604.
[9]	CUI Yongjiao. Research on Role Mining Algorithm for Access Control[D]. Baotou: Inner Mongolia University of Science & Technology, 2020.
	崔永娇. 面向访问控制的角色挖掘算法研究[D]. 包头: 内蒙古科技大学, 2020.
[10]	ZHOU Chao, REN Zhiyu, WU Wenchao. Semantic Roles Mining Algorithms Based on Formal Concept Analysis[J]. Computer Science, 2018, 45(12): 117-122,129. doi: 10.11896／j.issn.1002-137X.2018.12.018
	周超, 任志宇, 毋文超. 基于形式概念分析的语义角色挖掘算法[J]. 计算机科学, 2018, 45(12):117-122,129. doi: 10.11896／j.issn.1002-137X.2018.12.018
[11]	VAIDYA J, ATLURI V, GUO Qi. The Role Mining Problem: Finding A Minimal Descriptive Set of Roles[C]// ACM. 12th ACM Symposium on Access Control Models and Technologies. New York: ACM, 2007: 175-184.
[12]	LU Haibing, VAIDYA J, ATLURI V. Optimal Boolean Matrix Decomposition: Application to Role Engineering[C]// IEEE. 24th International Conference on Data Engineering. New York: IEEE, 2008: 297-306.
[13]	MOLLOY I, LI Ninghui, QI Yuan, et al. Mining Roles with Noisy Data[C]// ACM. 15th ACM Symposium on Access Control Models and Technologies. New York: ACM, 2010: 45-54.
[14]	MENG Deyu, XU Zongben, ZHANG Lei, et al. A Cyclic Weighted Median Method for l1 Low-Rank Matrix Factorization with Missing Entries[C]// AAAI. 27th AAAI Conference on Artificial Intelligence. Washington: AAAI, 2013: 704-710.
[15]	PAN Ning. Research on Several Key Technologies of Role Mining[D]. Zhengzhou: PLA Strategic Support Force Information Engineering University, 2018.
	潘宁. 角色挖掘若干关键技术研究[D]. 郑州: 战略支援部队信息工程大学, 2018.
[16]	FANG Liang, YIN Lihua, LI Fenghua, et al. Spectral-Clustering-Based Abnormal Permission Assignments Hunting Framework[J]. Journal on Communications, 2017, 38(12): 63-72.
	房梁, 殷丽华, 李凤华, 等. 基于谱聚类的访问控制异常权限配置挖掘机制[J]. 通信学报, 2017, 38(12):63-72.
[17]	MOLLOY I, CHEN Hong, LI Tiancheng, et al. Mining Roles with Multiple Objectives[J]. ACM Transactions on Information and System Security, 2010, 13(4): 1-35.

名称	配置
操作系统	Windows 10
开发环境	PyCharm
开发语言	Python
CPU	AMD R7 5700U
内存	16 GB 1.80 GHZ
固态硬盘	512 GB

数据集	用户数	权限数	用户权限配置数
Emea	35	3046	7220
Healthcare	45	45	1486
Domino	79	231	730
Firewall2	325	590	36428
Firewall1	365	709	31951
University_Large	493	56	3955
Apj	2044	1164	6841
Americas_Small	3478	1588	105491
Americas_Large	3485	10127	187051

数据集	正异常权限配置数量/个	负异常权限配置数量/个
Emea	360	42
Healthcare	74	9
Domino	37	5
Firewall2	1814	212
Firewall1	1592	186
University_Large	197	23
Apj	375	44
Americas_Small	5255	615
Americas_Large	9317	1088

数据集	运行时间/s		T₂/T₁
数据集	文献[16]方案（T₁）	本文方案（T₂）	T₂/T₁
Emea	0.17	0.2	1.17
Healthcare	0.23	0.25	1.09
Domino	0.72	0.71	0.99
Firewall2	27.95	23.3	0.83
Firewall1	39.41	29.45	0.75
University_Large	92.67	68.93	0.74
Apj	6595.98	4723.54	0.72
Americas_Small	10154.17	6594.22	0.65
Americas_Large	12309.52	8113.94	0.66

数据集	文献[16]方案				本文方案
数据集	Acc	Pre	Recall	F1	Acc	Pre	Recall	F1
Emea	0.779	0.724	0.843	0.779	0.84	0.79	0.91	0.846
Healthcare	0.768	0.704	0.835	0.764	0.826	0.774	0.904	0.834
Domino	0.772	0.713	0.837	0.77	0.831	0.779	0.906	0.838
Firewall2	0.788	0.725	0.846	0.781	0.838	0.788	0.912	0.846
Firewall1	0.783	0.722	0.847	0.78	0.839	0.791	0.915	0.849
University_Large	0.776	0.716	0.841	0.774	0.837	0.787	0.909	0.844
Apj	0.797	0.739	0.867	0.798	0.842	0.794	0.919	0.852
Americas_Small	0.801	0.751	0.873	0.808	0.848	0.798	0.923	0.856
Americas_Large	0.805	0.768	0.877	0.819	0.855	0.802	0.929	0.861