English

Mining Domain-Based Policies

Cryptography and Security 2023-12-27 v1

Abstract

Protection domains are one of the most enduring concepts in Access Control. Entities with identical access control characteristics are grouped under the same protection domain, and domain-based policies assign access privileges to the protection domain as a whole. With the advent of the Internet of Things (IoT), devices play the roles of both subjects and objects. Domain-based policies are particularly suited to support this symmetry of roles. This paper studies the mining of domain-based policies from incomplete access logs. We began by building a theory of domain-based policies, resulting in a polynomial-time algorithm that constructs the optimal domain-based policy out of a given access control matrix. We then showed that the problem of domain-based policy mining (DBPM) and the related problem of mining policies for domain and type enforcement (DTEPM) are both NP-complete. Next, we looked at the practical problem of using a MaxSAT solver to solve DBPM. We devised sophisticated encodings for this purpose, and empirically evaluated their relative performance. This paper thus lays the groundwork for future study of DBPM.

Keywords

Cite

@article{arxiv.2312.15596,
  title  = {Mining Domain-Based Policies},
  author = {Si Zhang and Philip W. L. Fong},
  journal= {arXiv preprint arXiv:2312.15596},
  year   = {2023}
}
R2 v1 2026-06-28T14:01:13.080Z