Reverse Engineering of RBAC Policy using Access Logs
MS Thesis Defense
Role Based Access Control (RBAC) is a flexible and powerful approach to access control which is widely used. We present approaches to finding the functional role hierarchy using access logs. We discuss a method to reconstruct the functional role hierarchy with knowledge of all access rights of all users. New methods of test data generation are introduced. We then present heuristics that work with partial logs to predict an approximate role hierarchy. A method to efficiently use background knowledge is also discussed. We show with empirical evidence that to reconstruct even half the hierarchy correctly with the heuristics; we need significant amount of access logs. We compare the two heuristics in terms of false positives, false negatives and number of correct predictions. The two heuristics are compared to parent-child relations as well as ancestor-descendant relations. Committee:
Role Based Access Control (RBAC) is a flexible and powerful approach to access control which is widely used. We present approaches to finding the functional role hierarchy using access logs. We discuss a method to reconstruct the functional role hierarchy with knowledge of all access rights of all users. New methods of test data generation are introduced. We then present heuristics that work with partial logs to predict an approximate role hierarchy. A method to efficiently use background knowledge is also discussed. We show with empirical evidence that to reconstruct even half the hierarchy correctly with the heuristics; we need significant amount of access logs. We compare the two heuristics in terms of false positives, false negatives and number of correct predictions. The two heuristics are compared to parent-child relations as well as ancestor-descendant relations. Committee:
- Dr. Anupam Joshi (chair)
- Dr. Tim Finin
- Dr. Yelena Yesha
Starts on: Monday, June 15, 2009, 02:00pm
Ends on: Monday, June 15, 2009, 04:00pm
Location: 325 ITE, UMBC, Baltimore
Speaker: Kishor Datar