Using constraint programming and graph representation learning for generating interpretable cloud security policies

Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to...

Full description

Saved in:
Bibliographic Details
Main Authors: KAZDAGLI, Mikhail, TIWARI, Mohit, KUMAR, Akshat
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2022
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/7717
https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-8720
record_format dspace
spelling sg-smu-ink.sis_research-87202023-01-10T02:54:36Z Using constraint programming and graph representation learning for generating interpretable cloud security policies KAZDAGLI, Mikhail TIWARI, Mohit KUMAR, Akshat Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly confgure and periodically update. Security negligence and human errors often lead to misconfguring IAM policies which may open a backdoor for attackers. To address these challenges, frst, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dormant permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies signifcantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances. 2022-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7717 https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Artificial Intelligence and Robotics Databases and Information Systems
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Artificial Intelligence and Robotics
Databases and Information Systems
spellingShingle Artificial Intelligence and Robotics
Databases and Information Systems
KAZDAGLI, Mikhail
TIWARI, Mohit
KUMAR, Akshat
Using constraint programming and graph representation learning for generating interpretable cloud security policies
description Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly confgure and periodically update. Security negligence and human errors often lead to misconfguring IAM policies which may open a backdoor for attackers. To address these challenges, frst, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dormant permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies signifcantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
format text
author KAZDAGLI, Mikhail
TIWARI, Mohit
KUMAR, Akshat
author_facet KAZDAGLI, Mikhail
TIWARI, Mohit
KUMAR, Akshat
author_sort KAZDAGLI, Mikhail
title Using constraint programming and graph representation learning for generating interpretable cloud security policies
title_short Using constraint programming and graph representation learning for generating interpretable cloud security policies
title_full Using constraint programming and graph representation learning for generating interpretable cloud security policies
title_fullStr Using constraint programming and graph representation learning for generating interpretable cloud security policies
title_full_unstemmed Using constraint programming and graph representation learning for generating interpretable cloud security policies
title_sort using constraint programming and graph representation learning for generating interpretable cloud security policies
publisher Institutional Knowledge at Singapore Management University
publishDate 2022
url https://ink.library.smu.edu.sg/sis_research/7717
https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf
_version_ 1770576420447191040