Automatic Extraction of Access Control Policies from Natural Language Documents

A fundamental management responsibility is securing information systems. Almost all applications that deal with safety, privacy, or defense include some form of access control. There are a plethora of access control models in the information security realm such as role-based access control and attribute-based access control. However, the initial development of access control policies (ACPs) can be very challenging. Most organizations have high-level requirement specifications that include a set of ACPs, which describe allowable operations of the system. It is time consuming and error-prone to manually sift through these documents and extract ACPs. In this paper, we propose a new framework towards extracting ACPs from unrestricted natural language documents using semantic role labeling (SRL). We were able to correctly identify ACP elements with an average $F_1$F1 score of 75 percent, which bested the previous work by 15 percent. Furthermore, as SRL tools are often trained on publicly available corpora such as Wall Street Journal, we investigated the idea of improving SRL performance using domain-related knowledge. We utilized domain adaptation and semi-supervised learning techniques and were able to improve the SRL performance by 2 percent using only a small amount of access control data.