TY - JOUR TI - Towards automatic configuration of access control DO - https://doi.org/doi:10.7282/T3BP053H PY - 2016 AB - Access control provide means to implement organizational security policies to both of its physical and electronic resources. To date, several access control mechanisms, including Role Based Access Control (RBAC) and Discretionary Access Control (DAC) have been proposed. Regardless of which security mechanism an organization adopts, once the system variables such as policies, roles, and authorizations are defined, continuous configuration management of these systems become necessary in order to ensure that the behavior of implemented system matches with the expected system behavior. In recent years, configuration errors in access control system have emerged as one of the key causes of system failure. Traditional access control system lacks the ability to anticipate potential configuration errors. Therefore, these systems fail to gracefully react to this problem. Configuration errors often occur either in the form of false positive or false negative authorizations. It is not trivial to manually identify such misconfigurations, and moreover, existingmethods of analyzing system configuration are not efficient in detectingmisconfigurations. Therefore, there is an acute need of better ways for automatic configuration of access control systems. This dissertation aims at developing efficient and automatic methodologies and tools for access control configuration management that are based on data mining technologies. Specifically, it addresses the following three research issues. The first research problem is based on using risk estimates for configuration management. There exist a number of situations in which specific user permission assignments based on the security policy cannot be a priori decidable. These may include emergency and disaster management situations where access to critical information is expected because of the need to share, and in some cases, because of the responsibility to provide information. This dissertation has proposed novel methodologies for dynamic computation of risk in such situations where preventing an access to a resource has more deleterious effect than granting it, if the underlying risk is low. Moreover, it has developed a model that facilitates risk-based access control in both DAC and RBAC cases. Also, in case of RBAC, it has developed a method to determine situational role for a user. Computational experiments performed on both synthetic and benchmark real datasets, even in the presence of noise, confirms the viability of the proposed approaches. The second issue is to investigate the configuration management problems that arise as a result of changes within a system or due to requests from users from collaborating organizations that do not have explicit access to resources. This dissertation has proposed to exploit attribute semantics of users to (semi)automate security configuration and management, and has proposed a methodology to derive credential requirements for roles having permission to access requested object, based on local access control policies using existing access control data. The proposed approach is based on well-known data mining method known as classification. Experimental evaluation shows that the proposed method has outperformed the previously proposed approach to address this problem. Finally, the third research issue deals with automating the process of identifying and removing misconfigurations in RBAC and DAC. Towards this end, this dissertation has proposed approaches to automate the process of detection of exceptionally or erroneously granted or denied authorizations in access control data. These approaches are based on using multiple classifiers to identify anomalous assignments. An extensive experimental evaluation has been performed to demonstrate the accuracy and performance of the proposed approaches. KW - Business and Science KW - Computers--Access control KW - Computer networks--Access control LA - eng ER -