Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.

Slides:

Advertisements

Similar presentations

Configuration management

Advertisements

Correlation Search in Graph Databases Yiping Ke James Cheng Wilfred Ng Presented By Phani Yarlagadda.

Margrave: XACML Verification and Change-Impact Analysis Kathi Fisler, WPI Shriram Krishnamurthi, Brown Leo Meyerovich, Brown Michael Carl Tschantz, Brown.

Kai Pan, Xintao Wu University of North Carolina at Charlotte Generating Program Inputs for Database Application Testing Tao Xie North Carolina State University.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

Testing Without Executing the Code Pavlina Koleva Junior QA Engineer WinCore Telerik QA Academy Telerik QA Academy.

An Approach to Evaluate Data Trustworthiness Based on Data Provenance Department of Computer Science Purdue University.

11 World-Leading Research with Real-World Impact! Constraints Specification for Virtual Resource Orchestration in Cloud IaaS Constraints Specification.

Stepan Potiyenko ISS Sr.SW Developer.

Software Quality Metrics

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

1 Application of Metamorphic Testing to Supervised Classifiers Xiaoyuan Xie, Tsong Yueh Chen Swinburne University of Technology Christian Murphy, Gail.

Software Testing Using Model Program DESIGN BY HONG NGUYEN & SHAH RAZA Dec 05, 2005.

A GOAL-BASED FRAMEWORK FOR SOFTWARE MEASUREMENT

Empirically Assessing End User Software Engineering Techniques Gregg Rothermel Department of Computer Science and Engineering University of Nebraska --

Privacy-Preserving Cross-Domain Network Reachability Quantification

XEngine: A Fast and Scalable XACML Policy Evaluation Engine Fei Chen Dept. of Computer Science and Engineering Michigan State University Joint work with.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

SE 555 Software Requirements & Specification Requirements Validation.

Parameterizing Random Test Data According to Equivalence Classes Chris Murphy, Gail Kaiser, Marta Arias Columbia University.

Short Course on Introduction to Meteorological Instrumentation and Observations Techniques QA and QC Procedures Short Course on Introduction to Meteorological.

Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.

11 World-Leading Research with Real-World Impact! A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram.

1 A Role Based Administration Model For Attribute Xin Jin, Ram Krishnan, Ravi Sandhu SRAS, Sep 19, 2012 World-Leading Research with Real-World Impact!

1 Automatic Identification of Common and Special Object-Oriented Unit Tests Dept. of Computer Science & Engineering University of Washington, Seattle Oct.

Automated Software Engineering Research Group 1 Fix 12?: Title should be Limitations (?? Not Challenges) Slide 18: Verification -> counterexample collectoin.

Author: Graham Hughes, Tevfik Bultan Computer Science Department, University of California, Santa Barbara, CA 93106, USA Source: International Journal.

Treatment Learning: Implementation and Application Ying Hu Electrical & Computer Engineering University of British Columbia.

University of Toronto Department of Computer Science © Steve Easterbrook. This presentation is available free for non-commercial use with attribution.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

(c) 2007 Mauro Pezzè & Michal Young The Big Picture.

Business Integration Technologies © 2006 IBM Corporation Zurich Research Laboratory - BIT Validation.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Stefan Mutter, Mark Hall, Eibe Frank University of Freiburg, Germany University of Waikato, New Zealand The 17th Australian Joint Conference on Artificial.

1 Efficient Rule Matching for Large Scale Systems Packet Classification – A Case Study Alok Tongaonkar Stony Brook University TexPoint fonts used in EMF.

VVSG: Usability, Accessibility, Privacy 1 VVSG, Part 1, Chapter 3 Usability, Accessibility, and Privacy December 6, 2007 Dr. Sharon Laskowski

EXPLOITING DYNAMIC VALIDATION FOR DOCUMENT LAYOUT CLASSIFICATION DURING METADATA EXTRACTION Kurt Maly Steven Zeil Mohammad Zubair WWW/Internet 2007 Vila.

Alattin: Mining Alternative Patterns for Detecting Neglected Conditions Suresh Thummalapenta and Tao Xie Department of Computer Science North Carolina.

Detecting Group Differences: Mining Contrast Sets Author: Stephen D. Bay Advisor: Dr. Hsu Graduate: Yan-Cheng Lin.

1 Test Selection for Result Inspection via Mining Predicate Rules Wujie Zheng

Computer Science Systematic Testing and Verification of Security Policies Tao Xie Department of Computer Science North Carolina State University

Software Testing Definition Software Testing Module ( ) Dr. Samer Odeh Hanna.

Model Checking Grid Policies JeeHyun Hwang, Mine Altunay, Tao Xie, Vincent Hu Presenter: tanya levshina International Symposium on Grid Computing (ISGC.

Computer Science Conformance Checking of Access Control Policies Specified in XACML Vincent C. Hu (National Institute of Standards and Technology) Evan.

A Metrics Program. Advantages of Collecting Software Quality Metrics Objective assessments as to whether quality requirements are being met can be made.

Computer Science 1 Detection of Multiple-Duty-Related Security Leakage in Access Control Policies JeeHyun Hwang 1, Tao Xie 1, and Vincent Hu 2 North Carolina.

Computer Science 1 Test Selection and Augmentation of Regression System Tests for Security Policy Evolution JeeHyun Hwang, Tao Xie, and collaborators at.

Software Engineering 2 -Prakash Shrestha.

Chapter 6: Analyzing and Interpreting Quantitative Data

Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.

Software Quality Assurance SOFTWARE DEFECT. Defect Repair Defect Repair is a process of repairing the defective part or replacing it, as needed. For example,

Computer Science 1 Systematic Structural Testing of Firewall Policies JeeHyun Hwang 1, Tao Xie 1, Fei Chen 2, and Alex Liu 2 North Carolina State University.

Properties Incompleteness Evaluation by Functional Verification IEEE TRANSACTIONS ON COMPUTERS, VOL. 56, NO. 4, APRIL

© Michael Crosby and Charles Sacker, 2001 Systematic Software Reviews Software reviews are a “quality improvement process for written material”.

Brian Lukoff Stanford University October 13, 2006.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Efficient Rule-Based Attribute-Oriented Induction for Data Mining Authors: Cheung et al. Graduate: Yu-Wei Su Advisor: Dr. Hsu.

A PRELIMINARY EMPIRICAL ASSESSMENT OF SIMILARITY FOR COMBINATORIAL INTERACTION TESTING OF SOFTWARE PRODUCT LINES Stefan Fischer Roberto E. Lopez-Herrejon.

Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.

CS223: Software Engineering Lecture 25: Software Testing.

1 Visual Computing Institute | Prof. Dr. Torsten W. Kuhlen Virtual Reality & Immersive Visualization Till Petersen-Krauß | GUI Testing | GUI.

Experience Report: System Log Analysis for Anomaly Detection

Testing Tutorial 7.

Software Verification and Validation

Verification and Testing

Learning Software Behavior for Automated Diagnosis

Propositional Calculus: Boolean Algebra and Simplification

Test Case Purification for Improving Fault Localization

Overview of Database Security

Access Control What’s New?

Presentation transcript:

Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay 3 North Carolina State University 1 National Institute of Standards and Technology 2 Fermi National Laboratory 3 (DBSec 2010)

Automated Software Engineering Research Group 2 Access Control Mechanism Access control mechanisms control which subjects (such as users or processes) have access to which resources. Policy Request Response (Permit, Deny, or Not-applicable)

Automated Software Engineering Research Group 3 Motivation Access control policies often include a large number of rules Misconfiguration and mistakes in access control policies lead to security problems Need to ensure the correct behaviours of policies – Property verification: check whether properties are satisfied by a policy Violations of a property expose policy faults Confidence on policy correctness is dependent on the quality of specified properties

Automated Software Engineering Research Group 4 Problem Properties are often not written in practice Writing properties is not trivial Our proposed solution: Mine likely properties automatically based on correlations of attribute values.

Automated Software Engineering Research Group 5 Solution: Mining Likely Properties Policy often has similar policy behaviors across attribute values (e.g., faculty and lecturer roles) Our approach mines likely properties via association rule mining Lecturer is permitted to conduct actions  Faculty member is likely to be permitted to conduct the same actions Violations of likely properties are deviations of normal policy behaviors Policy authors need to inspect violations

Automated Software Engineering Research Group 6 Outline Background and Motivation Likely-Property Templates Example Framework – Relation Table Generation – Association Rule Mining – Likely-Property Verification Evaluation Results Conclusion

Automated Software Engineering Research Group 7 Likely-Property Templates Implication relation: Likely properties correlate decision (Permit or Deny) dec1 for an attribute value v1 with decision dec2 for another attribute value v2 {Item (v1, dec1)} ) -> {Item (v2, dec2)} Implication relation types Subject attribute item sets {Item1 ({TA}, Permit)} ) -> {Item2 ({Faculty}, Permit)} Action attribute item sets {Item ({Assign}, Permit)}) -> {Item ({View}, Permit)} Subject-action attribute item sets {Item1 ({TA, Assign}, Permit)} ) -> {Item2 ({Faculty, Assign}, Permit)}

Automated Software Engineering Research Group 8 May 12, 2007 WWW 2007, Banff, Alberta, Canada 8 Example If role = Faculty and resource = (ExternalGrade or InternalGrade) and action = (View or Assign) then Permit If role = TA and resource = (InternalGrade) and action = (View or Assign) then Permit If role = Student and resource = (ExternalGrade) and action = (Receive) then Permit If role = Family and resource = (ExternalGrade) and action = (Receive) then Permit If role = Lecturer and resource = (ExternalGrade or InternalGrade)) and action = (Assign or View) then Permit Deny Receive is used instead = (View or Assign) then Permit Faulty Rule

Automated Software Engineering Research Group 9 May 12, 2007 WWW 2007, Banff, Alberta, Canada 9 Example - cont. Implication relations R1 with 100% confidence Implication relations R2 with at least 65% confidence

Automated Software Engineering Research Group 10 Framework

Automated Software Engineering Research Group 11 Relation Table Generation Find all possible request-response pairs in a policy Generate relation tables (including all request- response pairs) of interest Input for an association rule mining tool Example: Relation table for implication relations of action attribute: Row: Subject X Resource Column: Action

Automated Software Engineering Research Group 12 Association Rule Mining Given a relation table, find implication relations of attributes via association rule mining Find three types of implication relations Report implication relations with confidence values over a given threshold confidence (X  Y)= supp(X ∪ Y)/supp(X) supp (X) = D / T - T is #total rows - D is #rows that includes attribute-decision X

Automated Software Engineering Research Group 13 Likely Property Verification Verify a policy with given likely properties and find counterexamples Inspect to determine whether counterexamples expose a fault Rationale: counterexamples (which do not satisfy the likely properties) deviate from the policy’s normal behaviors and are special cases for inspection

Automated Software Engineering Research Group 14 Basic and Prioritization Techniques Basic technique: inspect counterexamples in no particular order Prioritization technique: inspect counterexamples by the order of their fault- detection likelihood Inspect duplicate counterexamples first Inspect counterexamples produced from likely properties with fewer counterexamples Prioritization technique designed to reduce inspection effort

Automated Software Engineering Research Group 15 Evaluation RQ1: How higher percentage of faults are detected by our approach compared to an existing related approach [Martin&Xie Policy 2006] ? RQ2: How lower percentage of distinct counterexamples are generated by our approach compared to the existing approach? RQ3: For cases where a fault in a faulty policy is detected by our approach, how high percentage of distinct counterexamples (for inspection) are reduced by our prioritization?

Automated Software Engineering Research Group 16 Metrics Fault-detection ratio (FR) Counterexample count (CC) Counterexample-reduction ratio (CRB) for our approach over the existing approach Counterexample-reduction ratio (CRP) for the prioritization technique over the basic technique

Automated Software Engineering Research Group 17 Evaluation Setup Seed a policy with faults for synthesizing faulty policies – One fault in each faulty policy for ease of evaluation – Four fault types Change-Rule Effect (CRE) Rule-Target True (RTT) Rule-Target False (RTF) Removal Rule (RMR) Compare results of our approach with those of the previous DT approach based on decision tree [Martin&Xie Policy 2006]

Automated Software Engineering Research Group 18 4 XACML Policy Subjects Real-life access control policies The number of rules ranges rules

Automated Software Engineering Research Group 19 Evaluation Results (1/2) FR: Fault-detection ratioCC: Counterexample count CRB: Counterexample-reduction ratio for our approach over DT approach CRP: Counterexample-reduction ratio for the prioritization technique over the basic technique DT, Basic and Prioritization show averagely 25.9%, 62.3%, and 62.3% fault detection ratios, respectively Our approach (including Basic and Prioritization techniques) outperform DT in terms of fault- detection capability Our approach reduced the number of counterexamples by 55.5% over DT Our approach significantly reduced the number of counterexamples while our approach detected a higher percentage of faults (addressed in RQ1) Prioritization reduced averagely 38.5% of counterexamples (for inspection) (in Column “% CRP”) over Basic

Automated Software Engineering Research Group 20 Evaluation Results (2/2) Prioritization and Basic achieve the highest fault- detection capability for policies with RTT, RTF, or RMR faults Fault-detection ratios of faulty policies

Automated Software Engineering Research Group 21 Conclusion A new approach that mines likely properties characterizing correlations of policy behaviors w.r.t. attribute values – Verification of the policy against likely properties to inspect whether the policy includes a fault An evaluation on 4 real-world XACML policies – Our approach achieved >30% higher fault-detection capability than that of the previous related approach based on decision tree – Our approach helped reduce >50% counterexamples for inspection compared to the previous approach

Automated Software Engineering Research Group 22 Questions?

Automated Software Engineering Research Group 23 Related Work Assessing quality of policy properties in verification of access control policies [Martin et al. ACSAC 2008] Inferring access-control policy properties via machine learning [Martin&Xie Policy 2006] Detecting and resolving policy misconfigurations in access-control systems [Bauer et al. SACMAT 2008]

Automated Software Engineering Research Group 24 Discussion