Reverse engineering RBAC policies using ILP


Tuesday, December 2, 2008, 10:30am - Tuesday, December 2, 2008, 12:00pm

ITE 325

RBAC (Role Based Access Control [1]) is a predominant model used for advanced access control. A variety of IT vendors have provided RBAC implementations in their systems. RBAC provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. These features of RBAC make it suitable for deployment over a variety of web applications like social networks, academic suits etc.

As use of RBAC on the web is increasing, it becomes important for an attacker to know the details of RBAC policies like role hierarchy, constraints in place to effectively attack the system. The question is: can we infer the RBAC details given the access attempts by users of the system?

In Inductive Logic Programming (ILP), background knowledge and negative and positive examples are specified in a logic language. The ILP system generates a hypothesis in logic language that best represents the given set of examples and background knowledge.

If access attempts by the users of RBAC system are stated as facts, and with some background knowledge about the organization's structure, ILP systems should be able to tell the underlying RBAC characteristics of the system. In this talk I will introduce a possible approach towards identifying RBAC policies using ILP systems like Progol [3].



UMBC ebiquity