Clustering and Recommendation Techniques for Access Control Policy Management
Managing access control policies can be a daunting process, given the frequent policy decisions that need to be made, and the potentially large number of policy rules involved. Policy management includes, but is not limited to: policy optimization, configuration, and analysis. Such tasks require a deep understanding of the policy and its building components, especially in scenarios where it frequently changes and needs to adapt to different environments. Assisting both administrators and users in performing these tasks is important in avoiding policy misconfigurations and ill-informed policy decisions.We investigate a number of clustering and recommendation techniques, and implement a set of tools that assist administrators and users in managing their policies. First, we propose and implement an optimization technique, based on policy clustering and adaptable rule ranking, to achieve optimal request evaluation performance. Second, we implement a policy analysis framework that simplifies and visualizes analysis results, based on a hierarchical clustering algorithm. The framework utilizes a similarity-based model that provides a basis of risk analysis on newly introduced policy rules.In addition to administrators, we focus on regular individuals whom nowadays manage their own access control polices on a regular basis. Users are making frequent policy decisions, especially with the increasing popularity of social network sites, such as Facebook and Twitter. For example, users are required to allow/deny access to their private data on social sites each time they install a 3rd party application. To make matters worse, 3rd party access requests are mostly uncustomizable by the user. We propose a framework that allows users to customize their policy decisions on social sites, and provides a set of recommendations that assist users in making well-informed decisions.Finally, as the browser has become the main medium for the user's online presence, we investigate the access control models for 3rd party browser extensions. Even though, extensions enrich the browsing experience of users, they could potentially represent a threat to their privacy. We propose and implement a framework that 1) monitors 3rd party extension accesses, 2) provides fine-grained permission controls, and 3) Provides detailed permission information to users in effort to increase their privacy awareness. To evaluate the framework we conducted a within-subjects user study and found the framework to effectively increase user awareness of requested permissions.