Towards Machine Learning Based Access Control




Nobi, Mohammad Nur

Journal Title

Journal ISSN

Volume Title



A common trait of current access control approaches is the challenging need to engineer abstract and intuitive access control models. This entails designing access control information in the form of roles (RBAC), attributes (ABAC), or relationships (ReBAC) as the case may be, and subsequently, designing access control rules. This framework has its benefits but has significant limitations in modern systems that are dynamic, complex, and large-scale, due to which it is not straightforward to maintain an accurate access control state in the system for a human administrator. This dissertation proposes to exploit the power of machine learning to solve access control decision-making problems. In particular, we propose Deep Learning Based Access Control (DLBAC) by leveraging significant advances in deep learning technology as a potential solution to this problem. We envision that DLBAC could complement and, in the long-term, even replace classical access control models with a neural network that reduces the burden of attribute/policy engineering and updates. Without loss of generality, we implement a candidate DLBAC model, called DLBAC_alpha, using real-world and synthetic datasets. We thoroughly investigate its performance benefits by comparing it with classical ML-based approaches and ABAC models. We demonstrate the feasibility of the DLBAC by addressing issues related to accuracy, generalization, and explainability. As DLBAC makes access decisions using a black-box neural network, we provide two approaches for understanding DLBAC decisions in human terms. Moreover, we discuss administration practices in traditional access control system, which is managed by human administrators, making the overall administration process error-prone, tedious, and ineffective. We overcome these challenges and inefficiencies in machine learning-based access control (MLBAC) by introducing novel techniques. Our experimentation reveals that DLBAC is more efficient than classical machine learning-based systems for capturing changes in access control state across the life of a system. We also investigate the MLBAC's adversarial attack problem, focusing on manipulating information of users and resources to gain unauthorized access. We demonstrate that it is possible to design adversarial attacks for ML models deployed for access decisions by modifying a subset of user-resource metadata. Also, we show that there is potential to reduce adversarial attacks to some extent by utilizing access control-specific constraints. Besides, to demonstrate the efficiency of MLBAC in complicated real-world settings, we implement DLBAC to decide the permission decisions of different apps on mobile devices. We show that in over 88% of cases, the DLBAC can accurately predict access permissions for different apps utilizing the characteristics of the requesting apps and the context of the device and its user. Such an outcome signifies that the DLBAC can recommend permissions and alert and stop users from granting unanticipated permissions. Finally, we discuss challenges and future research directions related to MLBAC and DLBAC, including administration, adversarial attack, bias and fairness, verification, etc. Also, we highlight the potentiality of DLBAC to operate in tandem with traditional access control systems to monitor and reinforce traditional access control systems' decisions.


This item is available only to currently enrolled UTSA students, faculty or staff. To download, navigate to Log In in the top right-hand corner of this screen, then select Log in with my UTSA ID.


access control, access control administration, adversarial attack in access control, authorization, deep learning based access control, machine learning



Computer Science