Machine Learning
for Access Control Policy Verification: NISTIR 8360 Published
Access control policy verification ensures that there are
no faults within the policy that leak or block access privileges. As a
software test, access control policy verification relies on methods
such as model proof, data structure, system simulation, and test oracle
to verify that the policy logic functions as expected. However, these
methods have capability and performance issues related to inaccuracy
and complexity limited by applied technologies. For instance, model
proof, test oracle, and data structure methods initially assume that
the policy under verification is faultless unless the policy model
cannot hold for test cases. Thus, the challenge of the method is to
compose test cases that can comprehensively discover all faults.
Alternatively, a system simulation method requires translating the
policy to a simulated system. The translation between systems may be
difficult or impractical to implement if the policy logic is
complicated or the number of policy rules is large.
NISTIR 8360, Machine Learning for Access Control Policy Verification,
proposes an efficient and straightforward method for access control
policy verification by applying a classification algorithm of machine
learning, which does not require comprehensive test cases, oracle, or
system translation but rather checks the logic of policy rules
directly, making it more efficient and feasible compared to traditional
methods. Ultimately, three general applications are provided:
enhancement of existing verification methods, verification of access
control policies with numerical attributes, and policy enforcement that
can be supported by the proposed machine learning policy verification
method.
|