Results 1  10
of
63
The discrete basis problem
, 2005
"... We consider the Discrete Basis Problem, which can be described as follows: given a collection of Boolean vectors find a collection of k Boolean basis vectors such that the original vectors can be represented using disjunctions of these basis vectors. We show that the decision version of this problem ..."
Abstract

Cited by 41 (13 self)
 Add to MetaCart
(Show Context)
We consider the Discrete Basis Problem, which can be described as follows: given a collection of Boolean vectors find a collection of k Boolean basis vectors such that the original vectors can be represented using disjunctions of these basis vectors. We show that the decision version of this problem is NPcomplete and that the optimization version cannot be approximated within any finite ratio. We also study two variations of this problem, where the Boolean basis vectors must be mutually otrhogonal. We show that the other variation is closely related with the wellknown Metric kmedian Problem in Boolean space. To solve these problems, two algorithms will be presented. One is designed for the variations mentioned above, and it is solely based on solving the kmedian problem, while another is a heuristic intended to solve the general Discrete Basis Problem. We will also study the results of extensive experiments made with these two algorithms with both synthetic and realworld data. The results are twofold: with the synthetic data, the algorithms did rather well, but with the realworld data the results were not as good.
Mining Roles with Semantic Meanings
"... With the growing adoption of rolebased access control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a nonRBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining te ..."
Abstract

Cited by 31 (2 self)
 Add to MetaCart
(Show Context)
With the growing adoption of rolebased access control (RBAC) in commercial security and identity management products, how to facilitate the process of migrating a nonRBAC system to an RBAC system has become a problem with significant business impact. Researchers have proposed to use data mining techniques to discover roles to complement the costly topdown approaches for RBAC system construction. A key problem that has not been adequately addressed by existing role mining approaches is how to discover roles with semantic meanings. In this paper, we study the problem in two settings with different information availability. When the only information is userpermission relation, we propose to discover roles whose semantic meaning is based on formal concept lattices. We argue that the theory of formal concept analysis provides a solid theoretical foundation for mining roles from userpermission relation. When userattribute information is also available, we propose to create roles that can be explained by expressions of userattributes. Since an expression of attributes describes a realworld concept, the corresponding role represents a realworld concept as well. Furthermore, the algorithms we proposed balance the semantic guarantee of roles with system complexity. Our experimental results demonstrate the effectiveness of our approaches.
MultiAssignment Clustering for Boolean Data
, 2009
"... Conventional clustering methods typically assume that each data item belongs to a single cluster. This assumption does not hold in general. In order to overcome this limitation, we propose a generative method for clustering vectorial data, where each object can be assigned to multiple clusters. Us ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
Conventional clustering methods typically assume that each data item belongs to a single cluster. This assumption does not hold in general. In order to overcome this limitation, we propose a generative method for clustering vectorial data, where each object can be assigned to multiple clusters. Using a deterministic annealing scheme, our method decomposes the observed data into the contributions of individual clusters and infers their parameters. Experiments on synthetic Boolean data show that our method achieves higher accuracy in the source parameter estimation and superior cluster stability compared to stateoftheart approaches. We also apply our method to an important problem in computer security known as role mining. Experiments on realworld access control data show performance gains in generalization to new employees against other multiassignment methods. In challenging situations with high noise levels, our approach maintains its good performance, while alternative stateoftheart techniques lack robustness.
Fast exact and heuristic methods for role minimization problems
, 2008
"... We describe several bottomup approaches to problems in role engineering for RoleBased Access Control (RBAC). The salient problems are all NPcomplete, even to approximate, yet we find that in instances that arise in practice these problems can be solved in minutes. We first consider role minimiza ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
(Show Context)
We describe several bottomup approaches to problems in role engineering for RoleBased Access Control (RBAC). The salient problems are all NPcomplete, even to approximate, yet we find that in instances that arise in practice these problems can be solved in minutes. We first consider role minimization, the process of finding a smallest collection of roles that can be used to implement a preexisting usertopermission relation. We introduce fast graph reductions that allow recovery of the solution from the solution to a problem on a input graph. For our test cases, these reductions either solve the problem, or reduce the problem enough that we find the optimum solution with a (worstcase) exponential method. We introduce lower bounds that are sharp for seven of nine test cases and are within 3.4 % on the other two. We introduce and test a new polynomialtime approximation that on average yields 2% more roles than the optimum. We next consider the related problem of minimizing the number of connections between roles and users or permissions, and we develop effective heuristic methods for this problem as well. Finally, we propose methods for several related problems.
Optimal Boolean Matrix Decomposition: Application to Role Engineering
"... A decomposition of a binary matrix into two matrices gives a set of basis vectors and their appropriate combination to form the original matrix. Such decomposition solutions are useful in a number of application domains including text mining, role engineering as well as knowledge discovery. While a ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
A decomposition of a binary matrix into two matrices gives a set of basis vectors and their appropriate combination to form the original matrix. Such decomposition solutions are useful in a number of application domains including text mining, role engineering as well as knowledge discovery. While a binary matrix can be decomposed in several ways, however, certain decompositions better characterize the semantics associated with the original matrix in a succinct but comprehensive way. Indeed, one can find different decompositions optimizing different criteria matching various semantics. In this paper, we first present a number of variants to the optimal Boolean matrix decomposition problem that have pragmatic implications. We then present a unified framework for modeling the optimal binary matrix decomposition and its variants using binary integer programming. Such modeling allows us to directly adopt the huge body of heuristic solutions and tools developed for binary integer programming. Although the proposed solutions are applicable to any domain of interest, for providing more meaningful discussions and results, in this paper, we present the binary matrix decomposition problem in a role engineering context, whose goal is to discover an optimal and correct set of roles from existing permissions, referred to as the role mining problem (RMP). This problem has gained significant interest in recent years as role based access control has become a popular means of enforcing security in databases. We consider several variants of the above basic RMP, including the minnoise RMP, δapproximate RMP and edgeRMP. Solutions to each of them aid security administrators in specific scenarios. We then model these variants as Boolean matrix decomposition and present efficient heuristics to solve them.
Detecting and resolving policy misconfigurations in accesscontrol systems
 In Proc. of the 13th ACM Symposium on Access Control Models and Technologies
, 2008
"... Accesscontrol policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration and, in the context of particular applications (e.g., health care), very severe consequences. In this paper we apply association rule mining to the history of accesses to ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
(Show Context)
Accesscontrol policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration and, in the context of particular applications (e.g., health care), very severe consequences. In this paper we apply association rule mining to the history of accesses to predict changes to accesscontrol policies that are likely to be consistent with users ’ intentions, so that these changes can be instituted in advance of misconfigurations interfering with legitimate accesses. Instituting these changes requires consent of the appropriate administrator, of course, and so a primary contribution of our work is to automatically determine from whom to seek consent and to minimize the costs of doing so. We show using data from a deployed accesscontrol system that our methods can reduce the number of accesses that would have incurred costly timeofaccess delays by 44%, and can correctly predict 58 % of the intended policy. These gains are achieved without increasing the total amount of time users spend interacting with the system.
Evaluating Role Mining Algorithms
 in SACMAT '09:Proceedings of the 14th ACM symposium on Access control models and technologies
, 2009
"... While many role mining algorithms have been proposed in recent years, there lacks a comprehensive study to compare these algorithms. These role mining algorithms have been evaluated when they were proposed, but the evaluations were using different datasets and evaluation criteria. In this paper, we ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
(Show Context)
While many role mining algorithms have been proposed in recent years, there lacks a comprehensive study to compare these algorithms. These role mining algorithms have been evaluated when they were proposed, but the evaluations were using different datasets and evaluation criteria. In this paper, we introduce a comprehensive framework for evaluating role mining algorithms. We categorize role mining algorithms into two classes based on their outputs; Class 1 algorithms output a sequence of prioritized roles while Class 2 algorithms output complete RBAC states. We then develop techniques that enable us to compare these algorithms directly. We also introduce a new role mining algorithm and two new ways for algorithmically generating datasets for evaluation. Using synthetic as well as real datasets, we compared nine role mining algorithms. Our results illustrate the strengths and weaknesses of these algorithms.
Migrating to optimal RBAC with minimal perturbation
 in Proceedings of the 13th ACM Symposium on Access Control Models and Technologies Proceedings SACMAT ’08. ACM
, 2008
"... Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness when is a set of roles good? Recently, the role mining problem (RMP) has been define ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness when is a set of roles good? Recently, the role mining problem (RMP) has been defined as the problem of discovering an optimal set of roles from existing user permissions. Several different objectives for optimality have been proposed. However, one problem with these definitions is that often organizations already have a deployed set of roles and wish to optimize this set. Even if an optimal set of roles is discovered, if this is widely different, it is impossible to simply throw out the deployed roles and start using the new ones as this may disrupt organizational processes and separation of duty constraints that are defined on roles. Essentially, what is missing is taking role migration cost into account when defining optimality, which would allow us to come up with the best suited set of roles. In this paper, we define a fundamentally different Role Mining Problem that takes the problem of deployed roles into account. We define the Minimal Perturbation RMP as the problem of discovering an optimal set of roles from existing user permissions that are similar to the currently deployed roles. In order to do this, we discuss the concept of similarity of roles and propose suitable definitions. Solutions also need to be parameterized to set relative weight of similarity and minimality to find the optimal set. We propose a heuristic solution based on the previously developed FastMiner algorithm that meets these requirements. We demonstrate the effectiveness of the algorithm through our experimental results. Portions of this work were supported by award CNS
Inferring Privacy Policies for Social Networking Services (Position Paper)
"... Social networking sites have come under criticism for their poor privacy protection track record. Yet, there is an inherent difficulty in deciding which principals should have access to user’s information or actions, without requiring them to constantly manage their privacy settings. We propose to e ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Social networking sites have come under criticism for their poor privacy protection track record. Yet, there is an inherent difficulty in deciding which principals should have access to user’s information or actions, without requiring them to constantly manage their privacy settings. We propose to extract automatically such privacy settings, based on the policy that information produced within a social context should remain in that social context, both to ensure privacy as well as maximising utility. A machine learning approach is used to extract automatically such social contexts, as well as a tentative evaluation.
A formal framework to elicit roles with business meaning in RBAC systems
 In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT ’09
, 2009
"... The rolebased access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and s ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
The rolebased access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and systems to find de facto roles embedded in existing user permissions, leading to what is usually referred to as role mining. However, a key problem that has not yet been adequately addressed by existing role mining approaches is how to propose roles that have business meaning. In order to do this, we provide a new formal framework that also enjoys practical relevance. In particular, the proposed framework leverages business information—such as business processes and organization structure—to implement role mining algorithms. Our key observation is that a role is likely to be meaningful from a business perspective when it involves activities within the same business process or organizational units within the same branch. To measure the “spreading” of a role among business processes or organization structure, we resort to centrality indices. Such indices are used in our costdriven approach during the role mining process. Finally, we illustrate the application of the framework through a few examples.