]> 2008-12-02T10:30:00-05:00 2008-12-02T12:00:00-05:00
As use of RBAC on the web is increasing, it becomes important for an attacker to know the details of RBAC policies like role hierarchy, constraints in place to effectively attack the system. The question is: can we infer the RBAC details given the access attempts by users of the system?

In Inductive Logic Programming (ILP), background knowledge and negative and positive examples are specified in a logic language. The ILP system generates a hypothesis in logic language that best represents the given set of examples and background knowledge.

If access attempts by the users of RBAC system are stated as facts, and with some background knowledge about the organization's structure, ILP systems should be able to tell the underlying RBAC characteristics of the system. In this talk I will introduce a possible approach towards identifying RBAC policies using ILP systems like Progol [3].

[1] http://en.wikipedia.org/wiki/Rbac
[2] http://en.wikipedia.org/wiki/Inductive_logic_programming
[3] http://en.wikipedia.org/wiki/PROGOL ]]>