摘要
Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources.This is certainly true of file systems whereby information needs to be protected against unintended access.User permissions often evolve over time,and changes are often made in an ad hoc manner and do not follow any rigorous process.This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created.Furthermore,permissions are often not audited due to the volume of information,the requirement of expert knowledge,and the time required to perform manual analysis.This paper presents a novel,unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep.The system(herein refereed to as Creeper)has initially been developed for Microsoft systems;however,it is easily extensible and can be applied to other access control systems.Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96%.Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98%is established.
基金
This work was undertaken during a project funded by the UK’s Digital Catapult Researcher in Residency Fellowship programme(Grant Ref:EP/M029263/1).The funding supported the research,development,and empirical testing presented in this paper.
