We gratefully acknowledge support from
the Simons Foundation and member institutions.
Full-text links:


Current browse context:


Change to browse by:

References & Citations

DBLP - CS Bibliography


(what is this?)
CiteULike logo BibSonomy logo Mendeley logo del.icio.us logo Digg logo Reddit logo ScienceWISE logo

Computer Science > Cryptography and Security

Title: Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies

Abstract: Modern software systems rely on mining insights from business sensitive data stored in public clouds. A data breach usually incurs significant (monetary) loss for a commercial organization. Conceptually, cloud security heavily relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. Security negligence and human errors often lead to misconfiguring IAM policies which may open a backdoor for attackers. To address these challenges, first, we develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP). We identify reducing dark permissions of cloud users as an optimality criterion, which intuitively implies minimizing unnecessary datastore access permissions. Second, to make IAM policies interpretable, we use graph representation learning applied to historical access patterns of users to augment our CP model with similarity constraints: similar users should be grouped together and share common IAM policies. Third, we describe multiple attack models and show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
Comments: to be published in IJCAI/ECAI'22
Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI)
Cite as: arXiv:2205.01240 [cs.CR]
  (or arXiv:2205.01240v4 [cs.CR] for this version)

Submission history

From: Mikhail Kazdagli [view email]
[v1] Mon, 2 May 2022 22:15:07 GMT (2240kb)
[v2] Sun, 8 May 2022 06:09:27 GMT (2440kb)
[v3] Wed, 1 Jun 2022 00:05:30 GMT (5095kb)
[v4] Mon, 13 Jun 2022 08:44:29 GMT (5054kb)

Link back to: arXiv, form interface, contact.