journal article
Dec 23, 2024
SoK: Access Control Policy Generation from High-level Natural Language Requirements
Abstract
Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to human errors, making them unusable. On the other hand, automated policy generation frameworks are prone to erroneous predictions, making them unreliable. Therefore, to find ways to improve their usability and reliability, we conducted a Systematic Literature Review analyzing 49 publications. The thematic analysis of the publications revealed that graphical policy configuration tools are developed to write and visualize policies manually. Moreover, automated policy generation frameworks are developed using machine learning (ML) and natural language processing (NLP) techniques to automatically generate access control policies from high-level requirement specifications. Despite their utility in the access control domain, limitations of these tools, such as the lack of flexibility, and limitations of frameworks, such as the lack of domain adaptation, negatively affect their usability and reliability, respectively. Our study offers recommendations to address these limitations through real-world applications and recent advancements in the NLP domain, paving the way for future research.
Topics
No keywords indexed for this article. Browse by subject →
References
111
[2]
Meta AI. 2024. Introducing Llama 3.1: Our most capable models to date. https://ai.meta.com/blog/meta-llama-3-1
[3]
Manar Alohaly and Daniel Takabi. 2021. A hybrid policy engineering approach for attribute-based access control (ABAC). In International Conference on Soft Computing and Pattern Recognition. Springer, 847–857.
[4]
Manar Alohaly and Hassan Takabi. 2016. Better privacy indicators: A new approach to quantification of privacy policies. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016).
[6]
Manar Alohaly, Hassan Takabi, and Eduardo Blanco. 2019. Automated extraction of attributes from natural language attribute-based access control (ABAC) policies. Cybersecurity 2, 1 (2019), 1–25.
[7]
Manar Alohaly, Hassan Takabi, and Eduardo Blanco. 2019. Towards an automated extraction of ABAC constraints from natural language policies. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, 105–119.
10.1007/978-3-030-22312-0_8
[9]
Cataldo Basile, Antonio Lioy, Salvatore Scozzi, and Marco Vallini. 2010. Ontology-based security policy translation. Journal of Information Assurance and Security 5, 1 (2010), 437–445.
[11]
Anja Bertard and Jennifer-Kathrin Kopp. 2020. Using Sugiyama-styled graphs to directly manipulate role-based access control configurations. In International Conference on Human-Computer Interaction. Springer, 405–412.
[14]
[15]
Carolyn Brodie, Clare-Marie Karat, John Karat, and Jinjuan Feng. 2005. Usable security and privacy: A case study of developing privacy management tools. In Proceedings of the 2005 Symposium on Usable Privacy and Security. 35–43.
10.1145/1073001.1073005
[17]
J. Brooke and others. 1996. SUS-A quick and dirty usability scale. Usability Evaluation in Industry 189 194 (1996) 4--7.
[18]
Sacha Brostoff, M. Angela Sasse, David Chadwick, James Cunningham, Uche Mbanaso, and Sassa Otenko. 2005. ‘R-what?’ Development of a role-based access control policy-writing tool for e-scientists. Software: Practice and Experience 35, 9 (2005), 835–856.
[19]
Xiang Cao and Lee Iverson. 2006. Intentional access management: Making access control usable for end-users. In Proceedings of the Second Symposium on Usable Privacy and Security. 20–31.
[20]
Ronan Collobert, Jason Weston, Léon Bottou, Michael Karlen, Koray Kavukcuoglu, and Pavel Kuksa. 2011. Natural language processing (almost) from scratch. Journal of Machine Learning Research 12, Article (2011), 2493–2537.
[21]
[22]
Lei Cui, Furu Wei, and Ming Zhou. 2018. Neural open information extraction. arXiv preprint arXiv:1805.04270 (2018).
[24]
Fabiano Dalpiaz, Ivor van der Schalk, and Garm Lucassen. 2018. Pinpointing ambiguity and incompleteness in requirements engineering via information visualization and NLP. In Requirements Engineering: Foundation for Software Quality: 24th International Working Conference, REFSQ 2018, Utrecht, The Netherlands, March 19-22, 2018, Proceedings 24. Springer, 119–135.
[25]
Jose M. del Alamo, Danny S. Guaman, Boni García, and Ana Diez. 2022. A systematic mapping study on automated analysis of privacy policies. Computing (2022), 1–24.
[26]
Iñigo Fernández del Amo, John Ahmet Erkoyuncu, Rajkumar Roy, Riccardo Palmarini, and Demetrius Onoufriou. 2018. A systematic review of augmented reality content-related techniques for knowledge transfer in maintenance applications. Computers in Industry 103 (2018), 47–71.
10.1016/j.compind.2018.08.007
[27]
Thomas Delaet, Wouter Joosen, and Bart Vanbrabant. 2010. A survey of system configuration tools. In 24th Large Installation System Administration Conference (LISA 10).
[28]
[29]
Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).
[30]
Kaniz Fatema, Christophe Debruyne, Dave Lewis, Declan OSullivan, John P. Morrison, and Abdullah-Al Mazed. 2016. A semi-automated methodology for extracting access control rules from the European data protection directive. In 2016 IEEE Security and Privacy Workshops (SPW). IEEE, 25–32.
10.1109/spw.2016.16
[31]
Arlene Fink. 2019. Conducting Research Literature Reviews: From the Internet to Paper. Sage publications.
[32]
Firstpost. 2024. AI companies are finally looking at small language models and expect to make big bucks. https://www.firstpost.com/tech/ai-companies-are-finally-looking-at-small-language-models-and-expect-to-make-big-bucks-13772823.html
[33]
Ann Fruhling and Sang Lee. 2005. Assessing the reliability, validity and adaptability of PSSUQ. AMCIS 2005 Proceedings (2005), 378.
[34]
[35]
John Heaps, Ram Krishnan, Yufei Huang, Jianwei Niu, and Ravi Sandhu. 2021. Access control policy generation from user stories using machine learning. In IFIP Annual Conference on Data and Applications Security and Privacy. Springer, 171–188.
[36]
Anh Khoa Ngo Ho and François Yvon. 2021. Optimizing word alignments with better subword tokenization. In Proceedings of Machine Translation Summit XVIII: Research Track. 256–269.
[37]
Neil Houlsby, Andrei Giurgiu, Stanislaw Jastrzebski, Bruna Morrone, Quentin De Laroussilhe, Andrea Gesmundo, Mona Attariyan, and Sylvain Gelly. 2019. Parameter-efficient transfer learning for NLP. In International Conference on Machine Learning. PMLR, 2790–2799.
[38]
Edward J. Hu, Yelong Shen, Phillip Wallis, Zeyuan Allen-Zhu, Yuanzhi Li, Shean Wang, Lu Wang, and Weizhu Chen. 2021. LoRA: Low-rank adaptation of large language models. arXiv preprint arXiv:2106.09685 (2021).
[39]
Philip Inglesant, M. Angela Sasse, David Chadwick, and Lei Lei Shi. 2008. Expressions of expertness: The virtuous circle of natural language for access control policy specification. In Proceedings of the 4th Symposium on Usable Privacy and Security. 77–88.
10.1145/1408664.1408675
[43]
Mannat Kaur, Michel van Eeten, Marijn Janssen, Kevin Borgolte, and Tobias Fiebig. 2021. Human factors in security research: Lessons learned from 2008-2018. arXiv preprint arXiv:2103.13287 (2021).
[44]
Barbara Kitchenham. 2004. Procedures for performing systematic reviews. Keele, UK, Keele University 33, 2004 (2004), 1–26.
[46]
Mike Lewis, Luheng He, and Luke Zettlemoyer. 2015. Joint A* CCG parsing and semantic role labelling. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing. 1444–1454.
10.18653/v1/d15-1169
[47]
Ang Li, Qinghua Li, Vincent C. Hu, and Jia Di. 2015. Evaluating the capability and performance of access control policy verification tools. In MILCOM 2015-2015 IEEE Military Communications Conference. IEEE, 366–371.
10.1109/milcom.2015.7357470
[48]
Shiyao Li, Xuefei Ning, Luning Wang, Tengxuan Liu, Xiangsheng Shi, Shengen Yan, Guohao Dai, Huazhong Yang, and Yu Wang. 2024. Evaluating quantized large language models. arXiv preprint arXiv:2402.18158 (2024).
[49]
Xiao Liu, Brett Holden, and Dinghao Wu. 2017. Automated synthesis of access control lists. In 2017 International Conference on Software Security and Assurance (ICSSA). IEEE, 104–109.
[50]
Yinhan Liu Myle Ott Naman Goyal Jingfei Du Mandar Joshi Danqi Chen Omer Levy Mike Lewis Luke Zettlemoyer and Veselin Stoyanov. 2019. RoBERTa: A Robustly Optimized BERT Pretraining Approach. arxiv:1907.11692 [cs.CL]
Showing 50 of 111 references
Metrics
8
Citations
111
References
Details
- Published
- Dec 23, 2024
- Vol/Issue
- 57(4)
- Pages
- 1-37
- License
- View
Authors
Cite This Article
Sakuna Harinda Jayasundara, Nalin Asanka Gamagedara Arachchilage, Giovanni Russello (2024). SoK: Access Control Policy Generation from High-level Natural Language Requirements. ACM Computing Surveys, 57(4), 1-37. https://doi.org/10.1145/3706057
Related
You May Also Like
A Survey on Bias and Fairness in Machine Learning
Ninareh Mehrabi, Fred Morstatter · 2021
3,466 citations