Automated Extraction and Validation of Security Policies from Natural-Language Documents

As one of the most fundamental security mechanisms of resources, Access Control Policies (ACP) specify which principals such as users or processes have access to which resources Ensuring the correct specification and enforcement of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not directly checkable for correctness. It is very tedious and error-prone to manually identify and extract ACPs from these NL documents, and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose a novel approach, called Text2Policy, that automatically extracts ACPs from NL documents and extracts action steps from NL scenario-based functional requirements (such as use cases). From the extracted ACPs, Text2Policy automatically generates checkable ACPs in specification languages such as XACML. From the extracted action steps, Text2Policy automatically derives access control requests that can be validated against specified or extracted ACPs to detect inconsistencies. To assess the effectiveness of Text2Policy, we conduct three evaluations on the collected ACP sentences from 18 sources and 37 use cases from an open source project called iTrust (including 448 use-case sentences). The results show that Text2Policy effectively extracts ACPs from NL documents and action steps from use cases for detecting issues in the use cases.

By: Xusheng Xiao; Amit Paradkar; Tao Xie

Published in: RC25128 in 2011


This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.


Questions about this service can be mailed to .