Please use this identifier to cite or link to this item: http://hdl.handle.net/2307/3923
Title: Role mining over big and noisy data theory and some applications
Authors: Verde, Nino Vincenzo
metadata.dc.contributor.advisor: Di Pietro, Roberto
Chierchia, Luigi
Keywords: data mining
access control
RBAC
role mining
Issue Date: 2-Apr-2012
Publisher: Università degli studi Roma Tre
Abstract: RBAC (Role-Based Access Control [2]) is a widely adopted access control model. According to this model, roles are created for various job functions within the organization. The permissions required to perform certain operations are assigned to specific roles. System users, in turn, are assigned to appropriate roles based on their responsibilities and qualifications. Through role assignments they acquire the permissions to perform particular system functions. By deploying RBAC systems, organizations obtain several benefits such as simplified access control administration, improved organizational productivity, and security policy enforcement. Companies that plan to use RBAC model are usually large or medium organizations that are currently using other access control models and/or legacy systems. Despite the benefits related to RBAC, it is sometimes hard for these organizations to adopt such a model. Indeed, there is an important issue that needs to be addressed: the model must be customized to capture the needs and functions of the company. For this purpose, the role engineering discipline [21] has been introduced. Various approaches to role engineering have been proposed, which are usually classified as: top-down and bottom-up. The former requires a deep analysis of business processes to identify which access permissions are necessary to carry out specific tasks. The latter seeks to identify de facto roles embedded in existing access control information. Since bottom-up approaches usually resort to data mining techniques, the term role mining is often used as a synonym for bottom-up. This thesis is devoted to role mining techniques, and their applications to large scale datasets. Several works prove that the role mining problem is reducible to many other well-known NP-hard problems, such as binary matrices factorization [56, 72] and tiling database [38] to cite a few. Therefore, most of the existing theoretical approaches cannot be directly applied to large datasets. Indeed, such algorithms have a complexity that is not linear com- pared to the number of users or permissions to analyze [6, 29, 78]. In this thesis, the main drawbacks of traditional role mining tasks that are based on minimality measures are highlighted. Indeed, a minimal set of roles is generally not useful to the system administrators. We point out that in order to provide a good candidate role-set, role mining algorithms have to take into account business information as well. We address the problem of reducing the role mining complexity in RBAC systems by making it practical and usable. The first approach that we propose is to elicit stable candidate roles, by contextually simplifying the role selection task. Furthermore, we introduce two methodologies that can be combined together in order to elicit meaningful roles, while reducing the role mining complexity. The first is a divide et impera strategy that is driven by one or more business attributes. The second methodology, overcomes the main limitation of the divide et impera approach by reducing the problem size without sacrificing on utility and accuracy. The original access control dataset is compressed and then analyzed in order to identify interesting portions, which are then reconstructed. Any existing role mining algorithm can be used to analyze the reconstructed portions—that are orders of magnitude smaller than the original dataset. We point out that to effectively elicit a deployable role-set, role engineers have to handle the noise that is always present within access control datasets. It is important to figure out if there are assignments that have been not granted, but that, if they would be granted, they could help the management of the role set. Also, it is important to figure out if there are permissions that have been accidentally granted, but that could hinder the role management. We introduce two algorithms that are able to find missing and abnormal userpermission assignments. Furthermore, we introduce a fast update operation that quickly re-evaluate the dataset when a modification occurs during the normal life cycle of the roles. Further, we introduce a new approach to the role mining, referred to as visual role mining. It offers a graphical way to effectively navigate the result of any existing role mining algorithm, showing at glance what it would take a lot of data to expound. Moreover, we allow to visually identify meaningful roles within access control data without resorting to traditional role mining tools. Finally, some final remarks as well as future research directions are highlighted.
URI: http://hdl.handle.net/2307/3923
Access Rights: info:eu-repo/semantics/openAccess
Appears in Collections:X_Dipartimento di Matematica (fino al 31/12/2012)
T - Tesi di dottorato

Files in This Item:
File Description SizeFormat
ROLE_MINING_OVER_BIG_AND_NO.PDF2.77 MBAdobe PDFView/Open
SFX Query Show full item record Recommend this item

Page view(s)

10
checked on Sep 30, 2020

Download(s)

2
checked on Sep 30, 2020

Google ScholarTM

Check


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.