Presentation is loading. Please wait.

Presentation is loading. Please wait.

Xusheng Xiao, Tao Xie North Carolina State University Amit Paradkar IBM T.J. Watson Research Center

Published bySabrina Chase Modified over 9 years ago

Similar presentations

Presentation on theme: "Xusheng Xiao, Tao Xie North Carolina State University Amit Paradkar IBM T.J. Watson Research Center"— Presentation transcript:

1 Xusheng Xiao, Tao Xie North Carolina State University xxiao2,txie@ncsu.edu Amit Paradkar IBM T.J. Watson Research Center paradkar@us.ibm.com

2  Access control is one of the most widely used privacy and security mechanisms  used to prevent security vulnerabilities by controlling access to resources  Access control is often governed by security policies called Access Control Policies (ACP)

3  ACP includes rules to control which principals have access to which resources  A policy rule includes four elements  subject – HCP  action - edit  resource - patient's account  effect - deny “The Health Care Personnel (HCP) does not have the ability to edit the patient's account.” ex.

4  How to ensure correct specification of ACPs?  ACPs may be complex/error-prone to specify  ACPs are often written in natural language (NL)  How to ensure correct enforcement of ACPs?  Gap btw ACPs (domain concepts) and system implementation (programming concepts)  Functional requirements bridge the gap but are often written in NL NL Functional Requirement System Implementation NL ACPs conformance

5 Properties Functional Requirement Automated Extraction of ACPs Non-Functional Requirement System Implementation Verification and Testing Tools Correct Specification Correct Enforcement Detected Issues Automated Validation against ACPs Extracted ACPs

6  How to ensure correct specification of ACPs?  ACPs may be complex/error-prone to specify  Existing approaches on ACP testing and verification  require ACPs to be formally specified, such as in XACML(eXtensible Access Control Markup Language)

7 OASIS standard XML-based language to specify ACPs HCP edit patient.account Organization for the Advancement of Structured Information Standards “The Health Care Personnel (HCP) does not have the ability to edit the patient's account.”

8  Specify ACPs directly in XACML  via XML editor  Specify ACPs using GUI tool  via NIST/NCSU ACPT tool

9 Contact: Vincent Hu vhu@nist.govvhu@nist.gov http://csrc.nist.gov/groups/SNS/acpt/acpt-beta.htm  Model Construction  specify and combine access control (AC) models (e.g., Multi-Level, RBAC )  Model Verification  verify AC models against given properties  Implementation Testing  test AC implementation with NIST ACTS  XACML Synthesis

10  In practice, ACPs are often written in natural language (NL), especially in legacy systems  Supposed to be written in non-functional requirements (e.g., security requirement)  But often buried inside functional requirements …… Patient MID should be the number assigned when the patient is added to the system and cannot be edited. The HCP does not have the ability to edit the patient's security question and password. ……. ( UC1 of iTrust use cases) ex.

11  Manually inspect NL documents and identify sentences describing ACPs Specify via XML Editor Non-Functional Requirements Formal ACPs Functional Requirements Specify via GUI Tool

12 ACP Extraction Access Control Policy Effect Subject Action Resource HCP edit patient.account deny “The Health Care Personnel (HCP) does not have the ability to edit the patient's account.”

13  NL documents, such as functional requirements, could be large in size, only a small portion describes ACPs  iTrust requirement has 464 sentences  only 10 sentences describe ACPs  Manual extraction of ACPs Very tedious and error-prone

14  Scenario-based functional requirements:  use case: a sequence of action steps, describing ▪ principals access different resources for achieving some functionalities  Resource access information:  subject – patient  action – view  resource – access log The patient views access log. ex.

15  Manual validation to detect inconsistencies  Action steps inconsistent with formalized/extracted ACPs  Inconsistent names used for referring to the same entity (e.g., user) across different use cases editor used in UC 4 of iTrust use cases actually refers to all users. ex.

16  Action-step inconsistencies cause problems for enforcing policies  Mismatch btw ACP entities and their counterparts in functional requirements ▪ user used in ACP vs. editor used in use cases  If inconsistencies not resolved at requirement stage, cost grows much higher for fixing them in later stages

17  Ensure correct specification  automatically extract ACPs from NL documents  Ensure correct enforcement  automatically extract action steps from NL use cases  Novel Natural Language Processing (NLP) techniques  syntactic analysis: extract syntactic structure (noun group, verb group)  semantic analysis: extract semantic meaning of elements (e.g., subject, action, resource, and effect)

18 Functional Requirement Non-function Requirements ACP Extraction Formal ACPs ACP Extraction Deny ACPs Resource Access Information Combined ACPs Action-step Extraction Automatic Validation Detected Inconsistencies

19 Functional Requirement ACP Extraction Deny ACPs Resource Access Information Action-step Extraction Permit ACPs Combined ACPs

20  TC1: Semantic Structure Variance  different ways to specify the same rule  TC2: Negative Meaning Implicitness  verb could have negative meaning ACP 1: An HCP cannot change patient’s account. ACP2: An HCP is disallowed to change patient’s account.

21  TC3: Anaphora  TC4: Transitive Subject  TC5: Perspective Variance These challenges apply when extracting ACPs from Functional Requirements Step 1: An HCP creates an account. Step 2:He edits the account. Step 3: The system updates the account. Step 4: The system displays the updated account. HCP HCP views the updated account.

22 Non- Functional Reqs Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Use Cases (UC)

23 Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Non- Functional Reqs Use Cases (UC)

24 NL Text Shallow Parsing Words with POS tags, Phrases, Grammatical Functions Semantic Pattern Matching Phrases marked with annotations Words associated with semantic classes Domain Dictionary

25  Part-Of-Speech Tag (POS)  Phrase Identification  Grammatical Functions Active Voice ACP 1: An HCP can view patient’s account. ACP2: An HCP is disallowed to change the patient’s account. NPVGPNP Main Verb GroupSubjectObject Passive Voice to-infinitive phrase

26  Address TC1 Semantic Structure Variance  Compose pattern based on grammatical function An HCP is disallowed to change the patient’s account. ex. passive voiceto-infinitive phrase followed by

27  Modal Verb in Main Verb Group  Passive Voice followed by To-infinitive Phrase  Access Expression An HCP can view the patient’s account. An admin should not update patients’ password. An HCP is disallowed to update patient’s password. An HCP is allowed to view patient’s account. An HCP has read access to patient’s account. An patient’s account is accessible to an HCP.

28  Used to associate verbs with semantic class  Include synonyms (collected from WordNet) “prohibit, disallow” -> NEGATIVE “edit, change, update” -> UPDATE ex.

29  Address TC2 Negative Meaning Implicitness  Negative expression  “not” in subject:  “not” in verb group:  Negative meaning words in main verb group No HCP can edit patient’s account. ex. HCP can not edit patient’s account. HCP can never edit patient’s account. ex. An HCP is disallowed to change the patient’s account.

30 Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Non- Functional Reqs Use Cases (UC)

31  Identify subject, action, and resource:  Subject: HCP  Action: change  Resource: patient’s account  Infer effect:  Negative Expression: none  Negative Verb: disallow  Inferred Effect: deny An HCP is disallowed to change the patient’s account. ex.

32 Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Non- Functional Reqs Use Cases (UC)

33  Synthesize a corresponding policy rule in XACML in input formats for policy modeling and testing tools such as the NIST/NCSU ACPT tool … Access Control Policy Effect Subject Action Resource HCP update patient’s account Deny HCP update patient.account

34 Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Non- Functional Reqs Use Cases (UC)

35  We adapt the linguistic analysis engine from our previous approach [DSN’09] with additional techniques to address TC3, TC4, and TC5.  The linguistic analysis engine is based on shallow parsing

36  Address TC3 Anaphora  Resolve Anaphora  adapt anaphora algorithm from “Anaphora for everyone: Pronominal anaphora resolution without a parser” [COLING’96] Step 1: An HCP creates an account. Step 2:He edits the patient’s account. HCP

37  Address TC4 Transitive Subject  Apply data flow of non-system subject: Step 1: The HCP edits the account. Step 2: The system updates the account. Tracking Only system as subject adding HCP as subject

38  Address TC5 Perspective Variance  Apply data flow of non-system subject: Step 1: The HCP edits the account. Step 2: The system shows the updated account. Tracking Only system as subject and action is to output Converting to “HCP views the updated account”

39 Use Case Linguistic Analysis Action Step Actor Type Parameter Patient OUTPUT - view Access log The patient views access log.

40 Specification (e.g., XACML) Transformation ACP Linguistic Analysis ACP Linguistic Analysis Model Construction ACP Model Resource Access Extraction Use Cases (UC) Use Case Linguistic Analysis Use Case Linguistic Analysis Action Steps Action Steps Resource Access Information Action-step Extraction ACP Extraction Non- Functional Reqs Use Cases (UC)

41  Extract resource access information from extracted action steps  Apply union on resource access information of extracted action steps to form permit ACP rules  Permit rules + Deny rules  Combined rules Action Actor Type Parameter Patient OUTPUT - view Access log  Subject: patient  Action: view  Resource: access log

42  Validate resource access information from each action step against specified/extracted ACPs  Report detected inconsistencies

43  Extracted ACPs  serve as initial version for policy authors to improve  validated with specified ACPs for completeness and correctness  Extracted action steps  detect inconsistencies with specified/extracted ACPs  extract ACPs from functional requirements  locate policy enforcement points

44  Prototype system implemented for Text2Policy  Subject: iTrust open source project  http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requiremen ts http://agile.csc.ncsu.edu/iTrust/wiki/doku.php?id=requiremen ts  448 use-case sentences (37 use cases)  10 non-functional-requirement sentences  8 constraint sentences  Total lines of code: 28514 ▪ source: 13528 ▪ unittests: 11445 ▪ Httptests: 3541  Subject: collected NL ACP rules  115 rules  From 18 sources (published papers, public websites, iTrust)

45  RQ1: How effectively does Text2Policy identify sentences describing ACP rules in NL documents?  RQ2: How effectively does Text2Policy extract ACP rules from sentences describing ACP rules?  RQ3: How effectively does Text2Policy extract action steps from use cases?

46  Apply Text2Policy to identify sentences describing deny ACP rules in iTrust requirements  10 sentences among 448 sentences describing deny ACP rules  2 false negative  Ex. “The administrator is not allowed to modify the hospital ID number in an existing entry.”  0 false positive  precision: 100%  recall: 80%

47  Apply Text2Policy to extract ACP rules from collected NL ACP sentences  115 sentences describing ACP rules  Successfully extract 106 ACP rules  Accuracy: 92.17%  Unsuccessful Ex. “Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.”  Unsuccessful Ex. “A reviewer of a paper can resign the review of the paper, unless he has already appointed a sub-reviewer for the paper.”

48  Apply Text2Policy to extract action steps from iTrust use cases  438 sentences (excluding sentences describing ACP rules)  Successfully extract action steps from 367 sentences  Accuracy: 83.79%  Unsuccessful Ex. “The HCP must provide instructions, or else they cannot add the prescription.”  Unsuccessful Ex. “Upon reading the report, the public health agent can send a "fake email" message to the adverse event reporter to gain more information about the report.”

49  How to ensure correct specification of ACPs?  Extract ACPs from security requirements  Extract ACPs from functional requirements  Detect inconsistencies among ACPs  How to ensure correct enforcement of ACPs?  Extract action steps from functional requirements  Detect inconsistencies btw ACPs and action steps Text2Policy Automatic Construction and Validation of ACPs from NL Documents

50  Improve Text2Policy prototype  Integrate Text2Policy to NIST/NCSU ACPT  Conditions in ACP rules  Ordering among ACP rules  Different application domains  Healthcare  Law statutes  NIST NVD (National Vulnerability Database) and CWE (Common Weakness Enumeration)  Mail lists  …  Collaborations are welcome!

51 http://csrc.nist.gov/groups/SNS/acpt/acpt-beta.htm

Download ppt "Xusheng Xiao, Tao Xie North Carolina State University Amit Paradkar IBM T.J. Watson Research Center"

Similar presentations

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.

Policy Specification, Analysis and Transformation International Technology Alliance in Network and Information Sciences A scenario based demo will illustrate.
Proceedings of the Conference on Intelligent Text Processing and Computational Linguistics (CICLing-2007) Learning for Semantic Parsing Advisor: Hsin-His.

Proceedings of the Conference on Intelligent Text Processing and Computational Linguistics (CICLing-2007) Learning for Semantic Parsing Advisor: Hsin-His.
Describing Process Specifications and Structured Decisions Systems Analysis and Design, 7e Kendall & Kendall 9 © 2008 Pearson Prentice Hall.

Describing Process Specifications and Structured Decisions Systems Analysis and Design, 7e Kendall & Kendall 9 © 2008 Pearson Prentice Hall.
ATM User Interface Design. Requirements A bank customer is able to access his or her account using an automatic teller machine. To be able to use an ATM.

ATM User Interface Design. Requirements A bank customer is able to access his or her account using an automatic teller machine. To be able to use an ATM.
10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/25/2001Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Chapter 9 Describing Process Specifications and Structured Decisions

Chapter 9 Describing Process Specifications and Structured Decisions
A Flexible Workbench for Document Analysis and Text Mining NLDB’2004, Salford, June 23-25 2004 1 Gulla, Brasethvik and Kaada A Flexible Workbench for Document.

A Flexible Workbench for Document Analysis and Text Mining NLDB’2004, Salford, June Gulla, Brasethvik and Kaada A Flexible Workbench for Document.
UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.

UML CASE Tool. ABSTRACT Domain analysis enables identifying families of applications and capturing their terminology in order to assist and guide system.
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification
Information Extraction from Documents for Automating Softwre Testing by Patricia Lutsky Presented by Ramiro Lopez.

Information Extraction from Documents for Automating Softwre Testing by Patricia Lutsky Presented by Ramiro Lopez.
LRI Validation Suite Meeting November 1st, 2011. Agenda Review of LIS Test Plan Template CLIA Testing EHR testing (Juror Document)—Inspection Testing.

LRI Validation Suite Meeting November 1st, Agenda Review of LIS Test Plan Template CLIA Testing EHR testing (Juror Document)—Inspection Testing.
Tao Xie University of Illinois at Urbana-Champaign 0

Tao Xie University of Illinois at Urbana-Champaign 0
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.

Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.

10/5/1999Database Management -- R. Larson Data Administration and Database Administration University of California, Berkeley School of Information Management.
The chapter will address the following questions:

The chapter will address the following questions:
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Access Control Policy Extraction from Unconstrained Natural Language Text John Slankas and Laurie Williams 5th ASE/IEEE International Conference on Information.

Access Control Policy Extraction from Unconstrained Natural Language Text John Slankas and Laurie Williams 5th ASE/IEEE International Conference on Information.
AQUAINT Kickoff Meeting – December 2001 Integrating Robust Semantics, Event Detection, Information Fusion, and Summarization for Multimedia Question Answering.

AQUAINT Kickoff Meeting – December 2001 Integrating Robust Semantics, Event Detection, Information Fusion, and Summarization for Multimedia Question Answering.

Similar presentations

Ads by Google