Using constraint programming and graph representation learning for generating interpretable cloud security policies
Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to...
Saved in:
Main Authors: | , , |
---|---|
Format: | text |
Language: | English |
Published: |
Institutional Knowledge at Singapore Management University
2022
|
Subjects: | |
Online Access: | https://ink.library.smu.edu.sg/sis_research/7717 https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Singapore Management University |
Language: | English |
id |
sg-smu-ink.sis_research-8720 |
---|---|
record_format |
dspace |
spelling |
sg-smu-ink.sis_research-87202023-01-10T02:54:36Z Using constraint programming and graph representation learning for generating interpretable cloud security policies KAZDAGLI, Mikhail TIWARI, Mohit KUMAR, Akshat Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly confgure and periodically update. Security negligence and human errors often lead to misconfguring IAM policies which may open a backdoor for attackers. To address these challenges, frst, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dormant permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies signifcantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances. 2022-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7717 https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Artificial Intelligence and Robotics Databases and Information Systems |
institution |
Singapore Management University |
building |
SMU Libraries |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
SMU Libraries |
collection |
InK@SMU |
language |
English |
topic |
Artificial Intelligence and Robotics Databases and Information Systems |
spellingShingle |
Artificial Intelligence and Robotics Databases and Information Systems KAZDAGLI, Mikhail TIWARI, Mohit KUMAR, Akshat Using constraint programming and graph representation learning for generating interpretable cloud security policies |
description |
Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs signifcant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly confgure and periodically update. Security negligence and human errors often lead to misconfguring IAM policies which may open a backdoor for attackers. To address these challenges, frst, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dormant permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies signifcantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances. |
format |
text |
author |
KAZDAGLI, Mikhail TIWARI, Mohit KUMAR, Akshat |
author_facet |
KAZDAGLI, Mikhail TIWARI, Mohit KUMAR, Akshat |
author_sort |
KAZDAGLI, Mikhail |
title |
Using constraint programming and graph representation learning for generating interpretable cloud security policies |
title_short |
Using constraint programming and graph representation learning for generating interpretable cloud security policies |
title_full |
Using constraint programming and graph representation learning for generating interpretable cloud security policies |
title_fullStr |
Using constraint programming and graph representation learning for generating interpretable cloud security policies |
title_full_unstemmed |
Using constraint programming and graph representation learning for generating interpretable cloud security policies |
title_sort |
using constraint programming and graph representation learning for generating interpretable cloud security policies |
publisher |
Institutional Knowledge at Singapore Management University |
publishDate |
2022 |
url |
https://ink.library.smu.edu.sg/sis_research/7717 https://ink.library.smu.edu.sg/context/sis_research/article/8720/viewcontent/Using_constraint_programming_and_graph_representation_learning_for_generating_interpretable_cloud_security_policies.pdf |
_version_ |
1770576420447191040 |