National Institute of Standards and Technology releases Machine Learning for Access Control Policy Verification NISTIR 8360
September 20, 2021 |
The National Institute of Standards and Technology (“NIST”) has released its report for Machine Learning for Access Control Policy Verification. It is a very technical document but useful for those interested in machine learning.
A machine learning classification algorithm is particularly efficient for system model verification because it does not require comprehensive or complex test cases or oracle, which are needed for traditional model verification methods.
Machine learning for software testing has two algorithms capable of access control policy verification; Decision tree (DT) and random forest classification (RFC) are two of the main ML classification. DT and RFC algorithms apply binary tree algorithms that support the processing of non-regression analysis of binary data.
This report proposes a technique that applies the machine learning random forest classification algorithm using uses access control policy rules as samples and the permission assigned to the rules as a classification target. The algorithm generates a classification subtree model of the policy, analyzes the accuracy in percentage against the model, and detects inconsistencies in the policy rules. It allows for directly entering new and updated rules for verification in the form of data instead of system components.
Three general applications are provided:
- enhancement of existing verification methods,
- verification of access control policies with numerical attributes, and
- policy enforcement that can be supported by the proposed machine learning policy verification method.
An RFC algorithm is more suitable for access control policy verification because it generates decision subtrees that represent multiple model policy rules. A DT algorithm generates only a single decision tree model that represents a single rule.
RFC method can support:
1. Enhancement of existing verification method by checking the correctness of the policy model itself before applying it to test new or updated cases.
2. Verification for policy with numerical attributes
3. Policy enforcement – Ihe RFC method can be used for policy enforcing mechanisms to automatically decide the permissions of an access request that was not delineated in any policy rule, especially for policies with a wide range of attribute values