Results 1  10
of
26
The discrete basis problem
, 2005
"... We consider the Discrete Basis Problem, which can be described as follows: given a collection of Boolean vectors find a collection of k Boolean basis vectors such that the original vectors can be represented using disjunctions of these basis vectors. We show that the decision version of this problem ..."
Abstract

Cited by 41 (13 self)
 Add to MetaCart
(Show Context)
We consider the Discrete Basis Problem, which can be described as follows: given a collection of Boolean vectors find a collection of k Boolean basis vectors such that the original vectors can be represented using disjunctions of these basis vectors. We show that the decision version of this problem is NPcomplete and that the optimization version cannot be approximated within any finite ratio. We also study two variations of this problem, where the Boolean basis vectors must be mutually otrhogonal. We show that the other variation is closely related with the wellknown Metric kmedian Problem in Boolean space. To solve these problems, two algorithms will be presented. One is designed for the variations mentioned above, and it is solely based on solving the kmedian problem, while another is a heuristic intended to solve the general Discrete Basis Problem. We will also study the results of extensive experiments made with these two algorithms with both synthetic and realworld data. The results are twofold: with the synthetic data, the algorithms did rather well, but with the realworld data the results were not as good.
Migrating to optimal RBAC with minimal perturbation
 in Proceedings of the 13th ACM Symposium on Access Control Models and Technologies Proceedings SACMAT ’08. ACM
, 2008
"... Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness when is a set of roles good? Recently, the role mining problem (RMP) has been define ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
(Show Context)
Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role based access control. A key problem related to this is the notion of goodness when is a set of roles good? Recently, the role mining problem (RMP) has been defined as the problem of discovering an optimal set of roles from existing user permissions. Several different objectives for optimality have been proposed. However, one problem with these definitions is that often organizations already have a deployed set of roles and wish to optimize this set. Even if an optimal set of roles is discovered, if this is widely different, it is impossible to simply throw out the deployed roles and start using the new ones as this may disrupt organizational processes and separation of duty constraints that are defined on roles. Essentially, what is missing is taking role migration cost into account when defining optimality, which would allow us to come up with the best suited set of roles. In this paper, we define a fundamentally different Role Mining Problem that takes the problem of deployed roles into account. We define the Minimal Perturbation RMP as the problem of discovering an optimal set of roles from existing user permissions that are similar to the currently deployed roles. In order to do this, we discuss the concept of similarity of roles and propose suitable definitions. Solutions also need to be parameterized to set relative weight of similarity and minimality to find the optimal set. We propose a heuristic solution based on the previously developed FastMiner algorithm that meets these requirements. We demonstrate the effectiveness of the algorithm through our experimental results. Portions of this work were supported by award CNS
A formal framework to elicit roles with business meaning in RBAC systems
 In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies, SACMAT ’09
, 2009
"... The rolebased access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and s ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
(Show Context)
The rolebased access control (RBAC) model has proven to be cost effective to reduce the complexity and costs of access permission management. To maximize the advantages offered by RBAC, the role engineering discipline has been introduced. A viable approach is to explore current applications and systems to find de facto roles embedded in existing user permissions, leading to what is usually referred to as role mining. However, a key problem that has not yet been adequately addressed by existing role mining approaches is how to propose roles that have business meaning. In order to do this, we provide a new formal framework that also enjoys practical relevance. In particular, the proposed framework leverages business information—such as business processes and organization structure—to implement role mining algorithms. Our key observation is that a role is likely to be meaningful from a business perspective when it involves activities within the same business process or organizational units within the same branch. To measure the “spreading” of a role among business processes or organization structure, we resort to centrality indices. Such indices are used in our costdriven approach during the role mining process. Finally, we illustrate the application of the framework through a few examples.
J.M.: A class of probabilistic models for role engineering. In: CCS ’08.
, 2008
"... ABSTRACT Role Engineering is a securitycritical task for systems using rolebased access control (RBAC). Different rolemining approaches have been proposed that attempt to automatically infer appropriate roles from existing userpermission assignments. However, these approaches are mainly combina ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
(Show Context)
ABSTRACT Role Engineering is a securitycritical task for systems using rolebased access control (RBAC). Different rolemining approaches have been proposed that attempt to automatically infer appropriate roles from existing userpermission assignments. However, these approaches are mainly combinatorial and lack an underlying probabilistic model of the domain. We present the first probabilistic model for RBAC. Our model defines a general framework for expressing user permission assignments and can be specialized to different domains by limiting its degrees of freedom with appropriate constraints. For one practically important instance of this framework, we show how roles can be inferred from data using a stateoftheart machinelearning algorithm. Experiments on both randomly generated and realworld data provide evidence that our approach not only creates meaningful roles but also identifies erroneous userpermission assignments in given data.
Model order selection for Boolean matrix factorization
 In KDD
, 2011
"... Matrix factorizations—where a given data matrix is approximated by a product of two or more factor matrices—are powerful data mining tools. Among other tasks, matrix factorizations are often used to separate global structure from noise. This, however, requires solving the ‘model order selection prob ..."
Abstract

Cited by 13 (9 self)
 Add to MetaCart
(Show Context)
Matrix factorizations—where a given data matrix is approximated by a product of two or more factor matrices—are powerful data mining tools. Among other tasks, matrix factorizations are often used to separate global structure from noise. This, however, requires solving the ‘model order selection problem ’ of determining where finegrained structure stops, and noise starts, i.e., what is the proper size of the factor matrices. Boolean matrix factorization (BMF)—where data, factors, and matrix product are Boolean—has received increased attention from the data mining community in recent years. The technique has desirable properties, such as high interpretability and natural sparsity. But so far no method for selecting the correct model order for BMF has been available. In this paper we propose to use the Minimum Description Length (MDL) principle for this task. Besides solving the problem, this wellfounded approach has numerous benefits, e.g., it is automatic, does not require a likelihood function, is fast, and, as experiments show, is highly accurate. We formulate the description length function for BMF in general— making it applicable for any BMF algorithm. We extend an existing algorithm for BMF to use MDL to identify the best Boolean matrix factorization, analyze the complexity of the problem, and perform an extensive experimental evaluation to study its behavior.
On the definition of role mining
 In SACMAT ’10: Proceeding of the 15th ACM Symposium on Access Control Models and Technologies
, 2010
"... There have been many approaches proposed for role mining. However, the problems solved often differ due to a lack of consensus on the formal definition of the role mining problem. In this paper, we provide a detailed analysis of the requirements for role mining, the existing definitions of role min ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
There have been many approaches proposed for role mining. However, the problems solved often differ due to a lack of consensus on the formal definition of the role mining problem. In this paper, we provide a detailed analysis of the requirements for role mining, the existing definitions of role mining, and the methods used to assess role mining results. Given basic assumptions on how accesscontrol configurations are generated, we propose a novel definition of the role mining problem that fulfills the requirements that realworld enterprises typically have. In this way, we recast role mining as a prediction problem.
RoleVAT: Visual Assessment of Practical Need for Role Based Access Control, ACSAC
, 2009
"... Abstract—Role based access control (RBAC) is a powerful security administration concept that can simplify permission assignment management. Migration to and maintenance of RBAC requires role engineering, the identification of a set of roles that offer administrative benefit. However, establishing th ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
(Show Context)
Abstract—Role based access control (RBAC) is a powerful security administration concept that can simplify permission assignment management. Migration to and maintenance of RBAC requires role engineering, the identification of a set of roles that offer administrative benefit. However, establishing that RBAC is desirable in a given enterprise is lacking in current role engineering processes. To help identify the practical need for RBAC, we propose RoleVAT, a Role engineering tool for the Visual Assessment of user and permission Tendencies. User and permission clusters can be visually identified as potential user groups or roles. The benefit and impact of this visual analysis in enterprise environments is discussed and demonstrated through testing on real life as well as synthetic datasets. Our experimental results show the effectiveness of RoleVAT as well as interesting user and role tendencies in real enterprise environments. I.
Role mining based on weights
 in: Proc. 15th ACM Symposium on Access Control Models and Technologies
, 2010
"... Role mining from the existing permissions has been widely applied to aid the process of migrating to an RBAC system. While all permissions are treated evenly in previous approaches, none of the work has employed the weights of permissions in role mining to our knowledge, thus providing the motivatio ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Role mining from the existing permissions has been widely applied to aid the process of migrating to an RBAC system. While all permissions are treated evenly in previous approaches, none of the work has employed the weights of permissions in role mining to our knowledge, thus providing the motivation for this work. In this paper, we generalize this to the case where permissions are given weights to reflect their importance to the system. The weights can correspond to the property of operations, the sensitive degree of objects, and the attribute of users associated with permissions. To calculate the weight of permissions, we introduce the concept of similarity between both users and permissions, and use a similarity matrix to reinforce the similarity between permissions. Then we create a link between the reinforced similarity and the weight of permissions. We further propose a weighted role mining algorithm to generate roles based on weights. Experiments on performance study prove the superiority of the new algorithm.
MDL4BMF: Minimum Description Length for Boolean matrix factorization
, 2012
"... Matrix factorizations—where a given data matrix is approximated by a product of two or more factor matrices—are powerful data mining tools. Among other tasks, matrix factorizations are often used to separate global structure from noise. This, however, requires solving the “model order selection pro ..."
Abstract

Cited by 6 (6 self)
 Add to MetaCart
Matrix factorizations—where a given data matrix is approximated by a product of two or more factor matrices—are powerful data mining tools. Among other tasks, matrix factorizations are often used to separate global structure from noise. This, however, requires solving the “model order selection problem ” of determining the proper rank of the factorization, that is, to answer where finegrained structure stops, and where noise starts. Boolean Matrix Factorization (BMF)—where data, factors, and matrix product are Boolean—has in recent years received increased attention from the data mining community. The technique has desirable properties, such as high interpretability and natural sparsity. Yet, so far no method for selecting the correct model order for BMF has been available. In this article, we propose the use of the Minimum Description Length (MDL) principle for this task. Besides solving the problem, this wellfounded approach has numerous benefits; for example, it is automatic, does not require a likelihood function, is fast, and, as experiments show, is highly accurate. We formulate the description length function for BMF in general—making it applicable for any BMF algorithm. We discuss how to construct an appropriate encoding: starting from a simple and intuitive approach, we arrive at a highly efficient datatomodel–based encoding for BMF. We extend an existing
S.D.: Algorithms for mining meaningful roles
 In: Proc. 17th ACM Symposium on Access Control Models and Technologies (SACMAT
, 2012
"... Rolebased access control (RBAC) offers significant advantages over lowerlevel access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC can be a significant obstacle to adoption of RBAC. Role min ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Rolebased access control (RBAC) offers significant advantages over lowerlevel access control policy representations, such as access control lists (ACLs). However, the effort required for a large organization to migrate from ACLs to RBAC can be a significant obstacle to adoption of RBAC. Role mining algorithms partially automate the construction of an RBAC policy from an ACL policy and possibly other information, such as user attributes. These algorithms can significantly reduce the cost of migration to RBAC. This paper proposes new algorithms for role mining. The algorithms can easily be used to optimize a variety of policy quality metrics, including metrics based on policy size, metrics based on interpretability of the roles with respect to user attribute data, and compound metrics that consider size and interpretability. The algorithms all begin with a phase that constructs a set of candidate roles. We consider two strategies for the second phase: start with an empty policy and repeatedly add candidate roles, or start with the entire set of candidate roles and repeatedly remove roles. In experiments with publicly available access control policies, we find that the elimination approach produces better results, and that, for a policy quality metric that reflects size and interpretability, our elimination algorithm achieves significantly better results than previous work.