ABAC policy mining method based on hierarchical clustering and relationship extraction

Abstract

With the rapid development of information technology, the traditional access control model has faced challenges in meeting the demands of practical applications. As a result, the ABAC model has emerged as a more flexible and adaptable solution, gaining popularity among enterprises. However, constructing an ABAC policy set for heterogeneous access control systems (DAC, MAC, RBAC and other non-ABAC systems) has proven to be complex and time-consuming. In this paper, we propose an ABAC policy mining method based on a clustering algorithm, aiming to extract ABAC policies from access control logs and facilitate the heterogeneous policy migration. Regardless of the access control model used by the original system, its security intent can be reflected by the access control logs. Our method segments and encodes log information using a decision tree, generating a matrix representation that characterizes the logs. Hierarchical clustering is then employed to group similar logs into clusters and extract attribute relationships, thus constructing the ABAC policy set. Additionally, policy optimization techniques such as policy pruning, refinement, and analysis are applied to enhance the policy set. Experimental results demonstrate the effectiveness of our method, achieving 5.7 % F−score improvement and 41.4 % WSC decrease compared to the comparison method. Moreover, when applied to noisy and sparse logs, our method achieves 12.5 % F−score improvement while reducing the WSC by 29.4 %.