Researchers at the University of Electro-Communications have developed a groundbreaking framework for improving system security by analyzing business process logs. This framework focuses on ensuring that role-based access control (RBAC) rules-critical to managing who can access specific system resources-are correctly implemented. Noncompliance with these rules, whether due to error or malicious activity, can result in unauthorized access and pose significant risks to organizations.
RBAC is a widely used access control model that relies on predefined roles assigned to users. However, as business processes become more complex, ensuring compliance with RBAC policies becomes more challenging. Existing methods often require extensive manual auditing or lack the tools to model and analyze complex scenarios. The new framework addresses these issues by integrating Role-Based Access Control Domain-Specific Language (RBAC DSL) and Object Constraint Language (OCL) invariant patterns to automate policy validation.
The process begins by transforming business process logs into structured models. These models are then analyzed to identify potential violations of access control rules. For example, the framework can detect if two tasks requiring different roles are being improperly performed by the same user. To help organizations understand and resolve these issues, the framework provides visualizations of the detected violations, significantly reducing the manual effort required for security audits.
The research team successfully tested the framework on both real and simulated datasets, including the BPI Challenge 2017 dataset. In one case, it detected violations such as tasks requiring different roles being performed by the same person. Its flexibility and scalability make it adaptable to different industries, from e-commerce to finance. This approach not only identifies compliance gaps, but also helps organizations maintain robust security standards.
A key innovation of the framework is the integration of process mining techniques with security policy validation, providing a dynamic, automated approach that reduces human error and adapts to diverse systems. Future research aims to extend the framework to support other access control models, such as attribute-based access control (ABAC) and category-based access control (CBAC). The team is also exploring the use of large language models, such as GPT-4, to analyze sequential data in event logs.
By automating compliance checks, this framework not only enhances security, but also reduces operational risk and supports regulatory compliance. The researchers aim to work with industry partners to refine and implement the framework in real-world systems, bridging academic research and practical application to set new standards for access control compliance.
Authors;
Duc-Hieu Nguyen (Main)
-- The University of Electro-Communications, PhD student
Yuichi Sei
-- The University of Electro-Communications, Professor
Yasuyuki Tahara
-- The University of Electro-Communications, Associate Professor
Akihiko Ohsuga
-- The University of Electro-Communications, Professor
