Skip to content

Dataset and experimental results of the manuscript "On the Use of Max-SAT in RBAC" submitted to Cybersecurity journal.

License

Notifications You must be signed in to change notification settings

bancaditalia/Cybersecurity2019

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 

Repository files navigation

redirect_from: "bancaditalia.github.io/sacmat2018/"

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Cybersecurity2019

Dataset and experimental results of the manuscript "On the Use of Max-SAT in RBAC" submitted to Cybersecurity journal.

Datasets

SmallComp

Dataset generated by simplyfing the paper working example to obtain optimal solution with a wide range of B values thus enabling the comparison with sub-otpimal solvers

Input Link
Permission-to-User UPA
User-to-role UA
Permission-to-Role PA
Exception List excs
Violation List excs

All Max-SAT Formulas

Domino

Dataset benchmark used in Role-mining literature obtained from the user access profiles of the Lotus Domino Server.

Input Link
Permission-to-User UPA
User-to-role UA
Permission-to-Role PA
Exception List excs

All Max-SAT Formulas

University

Dataset benchmark used in Role-ming literature generated from a template at the Stony Brook University.

Input Link
Permission-to-User UPA
User-to-role UA
Permission-to-Role PA
Exception List excs

All Max-SAT Formulas

Firewall1

Dataset benchmark used in Role-ming literature representing policies implemented though firewalls used to provide external users access to internal resources.

Input Link
Permission-to-User UPA
User-to-role UA
Permission-to-Role PA
Exception List excs

Max-SAT Formulas: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21

Selection of a Max-SAT solver

Complete Solvers

Solver SmallComp Domino University Firewall1
Maximo B<=0.5 B=0 B=0 B=0
MaxHS B<=0.4 B=0 B=0 -
LMHS B<=0.3 B=0 B=0 -
Ahmaxsat B<=0.25 - - -

Incomplete Solvers

Time complexity based on Firewall1 variant

90 online fixing instances of increasing size have been generated from Firewall1 by selecting more and more of its users (i.e., rows); each instance is associated with a single exception to incorporate and generates a Max-SAT encoding of growing size.

Number of users (CNF formula size) UA PA exc
5 users (0.3 MB) UA PA exc
21 users (5.1 MB) UA PA exc
37 users (11.3 MB) UA PA exc
53 users (27.5 MB) UA PA exc
69 users (54.9 MB) UA PA exc
85 users (79.6 MB) UA PA exc
101 users (120.1 MB) UA PA exc
117 users (162.4 MB) UA PA exc
133 users (231.7 MB) UA PA exc
149 users (300.9 MB) UA PA exc
165 users (337.2 MB) UA PA exc
181 users (380.7 MB) UA PA exc
197 users (519.1 MB) UA PA exc

The following figure shows the minimum timeout needed (y axis) to obtain a feasible solution for these inputs as a function of their size (x axis) with B=0.8. H_ResponseTime

Quality of incomplete solutions

Experiment based on SmallComp dataset to measure the ability of the incomplete solver adopted to satisfy the soft constraints. In particular, this is computed as the average weight of satisfied soft constraints over the total sum of weights for the 12 exceptions.

Average percentage of satisfied soft clauses (y axis) as a function of the balance B (x_axis) in the SmallComp dataset: rateSoft

Results are also available in plain text in rates.txt which are based on the evalaution of the three configurations:

Experimental Results

Impact of Beta

By adopting CCEHC Max-SAT solver we asses experimentally the impact of balance B to sim (similarity) and opt (simplicity) for three dataset.

Average similarity and simplicity (y axis) as a function of the balance B (x axis) with 21 values of B sampled at regular intervals: A_SimOpt.png

Average number of roles (y axis) after incorporating exceptions as a function of the balance B (x axis) for different dataset: A_Role.png

Average number of assignments (y axis) depending on the balance B (x axis): A_Ass.png

Average percentage of satisfied weights (y axis) depending on the balance B (x axis): A_SatRate.png

Impact of timeout

Results collected in the following are obtained starting from Domino to show the impact of the timeout with three different balance configurations:

Average simplicity in Domino (y axis) as a function of the timeout (x axis, secs) at different balance points B. C_timeoutOpt

Average similarity in Domino (y axis) as a function of the timeout (x axis, secs) at different balance points B. C_timeoutSim

Average number of roles in Domino (y axis) as a function of the timeout (x axis, secs) at different balance points B. C_timeoutRole

Average number of assignments in Domino (y axis) as a function of the timeout (x axis, secs) at different balance points B. C_timeoutAss

The order of exceptions with a variant of Domino dataset

We picked a string of 6 exceptions to be incorporated.

Input Link
Permission-to-User UPA
User-to-role UA
Permission-to-Role PA
Exception List excs

We generated all the 720 permutations as possibly different incorporating sequences. We fix each sequence and collected at each our metrics (715/720 paths considered as solvable in less than 60 seconds).

In the following is reported the distribution of the final number of roles obtained at different B values.

F

Corresponding input data are also available in the following:

License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

Images have been created by the means of a software with non-commercial license.

We are currently setting up a git-hub repository to host the “RBAC Maintance” Open Source software. Meanwhile we are available to distribute it upon reception of a simple request of interest sent to [email protected].

About

Dataset and experimental results of the manuscript "On the Use of Max-SAT in RBAC" submitted to Cybersecurity journal.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published