Mining Domain-Based Policies
Abstract
Protection domains are one of the most enduring concepts in Access Control. Entities with identical access control characteristics are grouped under the same protection domain, and domain-based policies assign access privileges to the protection domain as a whole. With the advent of the Internet of Things (IoT), devices play the roles of both subjects and objects. Domain-based policies are particularly suited to support this symmetry of roles. This paper studies the mining of domain-based policies from incomplete access logs. We began by building a theory of domain-based policies, resulting in a polynomial-time algorithm that constructs the optimal domain-based policy out of a given access control matrix. We then showed that the problem of domain-based policy mining (DBPM) and the related problem of mining policies for domain and type enforcement (DTEPM) are both NP-complete. Next, we looked at the practical problem of using a MaxSAT solver to solve DBPM. We devised sophisticated encodings for this purpose, and empirically evaluated their relative performance. This paper thus lays the groundwork for future study of DBPM.
- Publication:
-
arXiv e-prints
- Pub Date:
- December 2023
- DOI:
- 10.48550/arXiv.2312.15596
- arXiv:
- arXiv:2312.15596
- Bibcode:
- 2023arXiv231215596Z
- Keywords:
-
- Computer Science - Cryptography and Security