rmmdi: a novel framework for role mining based on the

Research ArticleRMMDI A Novel Framework for Role Mining Based onthe Multi-Domain Information

Wei Bai Zhisong Pan Shize Guo and Zhe Chen

Command amp Control Engineering College Army Engineering University of PLA Nanjing 210014 China

Correspondence should be addressed to Zhisong Pan hotpzshotmailcom

Received 20 November 2018 Revised 14 March 2019 Accepted 24 April 2019 Published 11 June 2019

Guest Editor Rohit Ranchal

Copyright copy 2019 Wei Bai et al This is an open access article distributed under the Creative Commons Attribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Role-based access control (RBAC) is widely adopted in network security management and role mining technology has beenextensively used to automatically generate user roles from datasets in a bottom-up way However almost all role mining methodsdiscover the user roles from existing user-permission assignments which neglect the dependency relationships between userpermissions To extend the ability of role mining technology this paper proposes a novel role mining framework based on multi-domain informationThe framework estimates the similarity between different permissions based on the fundamental informationin the physical network and digital domains and attaches interdependent permissions to the same role Three simulated networkscenarios with different multi-domain configurations are used to validate the effectiveness of our methodThe experimental resultsshow that the method can not only capture the interdependent relationships between permissions but also detect user roles andpermissions more reasonably

1 Introduction

Access control is a fundamental concern in network securitymanagement Role-based access control (RBAC) has becomethe dominant model for both commercial and research fields[1 2] The key point of RBAC is to determine proper roles tocapture business needs which is named as role engineeringThere are mainly two kinds of approaches to find user rolestop-down and bottom-up The top-down approaches alwaysperform a deep analysis of business processes and identifyuser roles manually [3] while the bottom-up approachesalways discover the user roles from existing datasets automat-ically which are also named as role mining as they usuallyresort to data mining techniques [4 5]

Existing rolemining approachesmainly discover a properuser-role assignment relation 119880119860 sube 119880119878119864119877119878 times 119877119874119871119864119878 and aproper role-permission assignment relation 119875119860 sube 119877119874119871119864119878 times119875119864119877119872119878 from an existing user-permission assignment rela-tion119880119875119860 sube 119880119878119864119877119878times119875119864119877119872119878 In the process user-permissionassignments are considered to be independent Howeverconsidering a typical service authorization process users areauthorized by multiple policy control points including gatemachines firewalls or identity authentication systemsThose

systems are always configured separately andmay grant userswithmore permissions than they deserve For example userswho are authorized to enter certain space may have theopportunity to use the terminals belong to other users inthe same space users can connect the server behind thefirewall remotely to bypass the access control lists and accessunauthorized services users can use the assigned passwordsto crack similar passwords for other unauthorized servicesetc In a word if the interdependent relationships are nottaken into consideration users with certain roles would getextra permissions introducing security vulnerabilities intonetwork systems

To address the above-mentioned issues this paper pro-poses a novel rolemining framework named as RMMDI fromthe perspective of network security management Insteadof mining user roles from user-permission assignments theframework discovers user roles from the fundamental infor-mation in multiple domains including the physical domainnetwork domain and digital domain The framework isaimed at outputting a flat RBAC state that divides user per-missions into several disjoint subsets The user permissionsin one set tend to be interdependent while the permissionsin different sets tend to be independent If a permission

HindawiSecurity and Communication NetworksVolume 2019 Article ID 8085303 15 pageshttpsdoiorg10115520198085303

2 Security and Communication Networks

set is assigned to a user role a user assigned some roles isunlikely to get extra permissions assigned to other roles Assuch potential security risks involved in the user-permissionassignments process can be avoided

The rest of this paper is organized as follows In Section 2some general works are briefly reviewed Section 3 presentsthe proposed framework in detail Section 4 shows theexperimental setup and results and Section 5 presents a com-prehensive discussion At last Section 6 provides concludingremarks

2 Related Work

21 Role Mining RBAC has become a dominating model foraccess control in network security Instead of assigning per-missions to the user directly RBAC introduces the conceptof roles to make access control system more compact andcomprehensive [6] A role is defined as a collection of permis-sions The key point of RBAC is to generate proper roles Inthis process the bottom-up approach named as role mininggets muchmore attention than the top-down approach as thelatter is time-consuming and human-intensive [3]

Kuhlmann et al first proposed the concept of role miningfor finding roles from user-permission assignment data [7]Traditional role mining approaches are mainly divided intotwo classes based on their output [5 8 9] The first classis to output a prioritized list of candidate roles each ofwhich is assigned a priority value A larger priority valuemeans the role is more important or useful Complete Miner(CM) and Fast Miner (FM) are two typical algorithms of thefirst class which identify overlapping clusters by analyzingthe subset enumeration in an unsupervised way [10] Thesecond class is to output a complete RBAC state under acertain cost There are also a lot of classic algorithms inthe class for example OFFIS Role mining tool with ClusterAnalysis (ORCA) [11] Hierarchical Miner (HM) [12] GraphOptimization (GO) [13] HP Role Minimization (HPr) [14]and HP Edge Minimization (HPe) [14]

Besides those traditional role mining algorithms thereare also many important approaches that emerged in recentyears For example Frank et al proposed a probabilisticapproach to improve the role mining process by takingaccount of the business information The approach uti-lized the similarity between user-permission relations todetect exceptional assignments and wrong assignments [15]Besides entropy-based methods were used in this approachto analyze the impact of business knowledge on role mining[16] Alessandro et al presented an approach that allowedrole engineers to leverage business information In the rolemining process the access data was divided into smallersubsets from a business perspective firstly and then tradi-tional methods can be used to discover roles with businessmeanings [5] Iran et al proposed a method based on formalconcept lattices to discover roles with semantic meanings[12] as well as a method based on logistic PCA (PrincipalComponent Analysis) to eliminate data noises [17] Du Xand Change X proposed two algorithms based on artificialintelligence ie the genetic algorithm and ant colony opti-mization algorithm [18] Dong et al proposed both fast exact

and heuristic methods based on biclique network cover tominimize role number or edge number [19]

With regard to goodness measure several metrics havebeen proposed in the literature including minimizing thenumber of roles [10 20] minimizing the number of edges[13 14 19] minimizing the number of user-role assignmentand permission-role assignment relations [13] minimizingboth the number of roles and edges [21] and minimizing theadministrative cost [22]These optimization goals can be uni-formly represented by the Weighted Structural Complexity(WSC) [8 9]

Although there are a lot of effective role miningapproaches most of them neglect the relationships betweenuser permissions From the perspective of network securitymanagement user permissions are not independent A useror potential attacker may get extra permissions from thepreassigned permissions which may introduce fatal risksto network security Hence in the framework RMMDIwe model the interrelationships between user permissionsfrom multi-domain configuration information and get morereasonable user roles mitigating the vulnerabilities andstrengthening network security

22 Multi-Domain Information Modeling Traditional net-work security analysis mainly concentrates on the networkdomain with a few concerns on other domains Howeverwith the deepening of research on insider threat an increas-ing number of studies have shown that the attacker will attackthe network not only in digital ways but also through thephysical domain and social domain

The existingmethods of jointmodeling of networkmulti-domain information mainly define multi-domain informa-tion by using the formalized methods and then make infer-ence based on the logical rules to judge whether the systemcan reach the unsafe state Probst et al proposed a formalmodel for describing scenarios that span the physical anddigital domain [23 24] Kotenko et al proposed a model fordescribing attacks that use social engineering and physicalaccess based on the preconditions and postconditions ofatomic actions [25] Scott et al built a security model thatadds a spatial relationship between the elements in theambient calculus [26] Dimkov presented a security modelnamed as Portunes graph to abstract the environment of anorganization into a stratified graph which involved the infor-mation in physical digital and social domain information[27] Kammuller and Probst combined formal modeling andanalysis of infrastructures of organizationswith a sociologicalexplanation to provide a framework for insider threat analysis[28]

In this paper we take possible interaction effects amongmulti-domain permissions into consideration which are thebasis of similar permission finding and role mining based onmultiple domain information

23 Multi-View Community Detection The community is auniversal property in many complex networks which meansthat network nodes can be divided into small groups [26]Traditional community detection methods only utilize singlenetwork information And several multiview community

Security and Communication Networks 3

Basic information

acquisition

Relationship network

construction

Community detection

and role definition

Multi-domain entity information

Multi-domain relationship information

Rolepermission assignmentsUser roles

Device Perspective Service Network

Information Perspective Service Network

Multi-view Service Network

Figure 1 Role mining framework based on multi-domain information

detection methods have been proposed which utilize moreinformation and achieve better performance

Nonnegative Matrix Factorization (NMF) [29] is a clas-sic clustering method and several multi-view communitydetection methods based on NMF are proposed Akata etal proposed a method to jointly factorize multiple datamatrices through a shared coefficient matrix [30] Liu et alproposed MultiNMF that regularizes the coefficient matriceslearned from different views towards a common consensusfor clustering [31] He et al extended NMF for multiviewclustering by jointly factorizing themultiplematrices throughcoregularization [32] Pei et al proposed a nonnegativematrix tri-factorization (NMTF) based clustering frameworkwith three types of graph regularization [33] Li et al pro-posed a framework based on regularized joint nonnegativematrix factorization (RJNMF) to utilize link and contentinformation jointly to enhance the community detectionaccuracy [34]

In the framework RMMDI we use the Pairwise Coreg-ularized NMF clustering algorithm proposed in [32] tomerge the information from two service networks (views)Experiments show that it can get more information thanfrom a single view and make the role mining results morereasonable

3 Role Mining Framework Based onMulti-Domain Information

In this paper we proposed a role mining framework based onthe multi-domain information which is named as RMMDIThe framework is aimed at dividing possible user permissionsinto several disjoint subsets and assigning each subset to auser roleThen users are assigned with one ormore necessaryroles according to the permission they deserveThe structureof RMMDI is shown in Figure 1 The framework can bedivided into three modules basic information acquisitionrelationship network construction and community detectionand role definition

The basic information acquisition module obtains thenecessary basic information from the target network includ-ing multi-domain entity information and relationship infor-mation The relationship network construction module con-structs eight networks based on the obtained basic infor-mation including the intermediate networks and ultimatenetworks The community detection and role definitionmodule detects permission communities on the ultimatenetworks by a multi-view community detection method anddefines possible user roles

31 Basic Information Acquisition The basic informationacquisition module is to collect network basic informationincluding the entities and entity relationships in the physicaldomain network domain and information domain whichare the foundation of relationship network construction

311 Entity There are five kinds of entities involved in theframework ie space object service info and user

Entity space represents specific physical space such as citycampus building or room which is in the physical domainAll the space entities are represented as a set 119873119878 Entityobject is also located at the physical domain and representsnetwork device like router switch or terminal All the objectentities are represented as a set 119873119874 Entity service is in thenetwork domain and represents network service like HTTP(Hypertext Transfer Protocol) FTP (File Transfer Protocol)and Email All the service entities are represented as a set119873119881 Entity info is in the digital domain and represents theinformation like password data or digital file All the infoentities are represented as a set 119873119868 Entity user representsnetwork user All the user entities are represented as a set119873119880312 Relationships There are seven kinds of relationshipsinvolved in the framework ie spatial similarity relation-ships containment relationships service access relationshipslocal management relationships remote management rela-tionships service domination relationships and info domi-nation relationships


Spatial similarity relationships are described by thematrix119872119878119878 isin 119860119878times119878 where 119860 = 0 1 and 119878 = |119873119878|119872119878119878(119894 119895)is determined by

119872119878119878 (119894 119895) =

1 if (119894 = 119895) or u (119894 119895) + u (119895 119894) gt 1205760 otherwise

(1)

where 119906(119894 119895) is the number of users who can move fromspace 119899119904119894 to space 119899119904119895 and 120576 is the threshold value rangingfrom 0 to 2|119873119880|

Device containment relationships are described by thematrix 119872119874119878 isin 119860119874times119878 where 119860 = 0 1 119874 = |119873119874| and119878 = |119873119878|119872119874119878(119894 119895) is determined by the following

119872119874119878 (119894 119895) =

1 if object 119899119900119894 locates in space 1198991199041198950 otherwise

(2)

Service access relationships are described by the matrix119872119881119874 isin 119860119881times119874 where 119860 = 0 1 119881 = |119873119881| and 119874 = |119873119874|119872119881119874(119894 119895) is determined by the following

119872119881119874 (119894 119895)

=

1 if service 119899V119894 can be reach by device 1198991199001198950 119900119905ℎ119890119903119908119894119904119890

(3)

Local management relationships are described by thematrix 119872119874119881 119871 isin 119860119874times119881 where 119860 = 0 1 119874 = |119873119874| and119881 = |119873119881|119872119874119881 119871(119894 119895) is determined by the following

119872119874119881 119871 (i j)

=

1 if device 119899119900119894 can be managed by service 119899V119895 locally0 otherwise

(4)

Remote management relationships are described by thematrix 119872119874119881 119877 isin 119860119874times119881 where 119860 = 0 1 119874 = |119873119874| and119881 = |119873119881|119872119874119881 119877(119894 119895) is determined by the following

119872119874119881 119877 (119894 119895)

=

1 if device 119899119900119894 can be managed by service 119899V119895 remotely

0 otherwise

(5)

Service domination relationships are described by thematrix 119872119881119868 isin 119860119881times119868 where 119860 = 0 1 119881 = |119873119881| and119868 = |119873119868|119872119881119868(119894 119895) is determined by the following

119872119881119868 (119894 119895)

=

1 if the password of service 119899V119894 is 1198991198941198950 otherwise

(6)

Info domination relationships are described by thematrix119872119868119868 isin 119860119868times119868 where 119860 = 0 1 and 119868 = |119873119868| 119872119868119868(119894 119895) isdetermined by

119872119868119868 (119894 119895) =

1 if (119899119894119895 997888rarr 119899119894119894) or (119899119894119894 997888rarr 119899119894119895)0 otherwise

(7)

where symbol 119886 997888rarr 119887 indicates that information 119886 isdominated by information 119887 It means there is a service V isin119873119881 whose password is 119887 and from which the users can getinformation 11988632 RelationshipNetwork Construction Therelationship net-work construction module is to construct basic relationshipnetworks based on the obtained basic information As shownin Figure 2 there are eight networks to be constructedin total The ultimate goal of this module is to form theDevice View Service Network (DVSN) Information ViewService Network (IVSN) and Multiview Service Network(MVSN) These three ultimate networks are used in commu-nity detection and role definition Besides the three ultimatenetworks there are other five networks involved in user-rolemining which are named as LocalManagement ViewDeviceNetwork (LMVDN) Remote Management View DeviceNetwork (RMVDN) Local Information View Device Net-work (LIVDN) Remote Information View Device Network(RIVDN) and Multiview Device Network (MVDN) Thefive intermediate networks are the foundation to constructultimate networks The meanings of intermediate networksand ultimate networks are described as follows

321 Intermediate Networks The five intermediate networksare described as undirected weighted graphs whose adja-cency matrices are constructed from the seven basic relation-ship matrices

LMVDN The LMVDN represents the similarity betweendevices from a spatial (localmanagement) perspective whichmeans the devices located at similarity spaces are moresimilar than others The network is represented by theadjacencymatrix119860119874119874 119878 whose values represent the similarityof two devices The matrix is determined by the following

119860119874119874 119878 = 119872119874119878119872119878119878 (119872119874119878)119879 (8)

RMVDNThe RMVDN represents the similarity betweendevices from a remote management perspective whichmeans the devices that can be managed by similar manage-ment services are more similar than others The network isrepresented by the adjacencymatrix119860119874119874 119877 whose values rep-resent the similarity of two devicesThematrix is determinedby the following

119860119874119874 119877 = 119872119874 119881119877119872119881119874 + (119872119874 119881119877119872119881119874)119879 (9)

LIVDN The LIVDN represents the similarity betweendevices from the perspective of local management servicepassword which means the devices with similar local man-agement service password are more similar than others Thenetwork is represented by the adjacencymatrix119860119874119874 119868119871 whosevalues represent the similarity of two devices The matrix isdetermined by the following

119860119874119874 119868119871 = 119872119874119881 119871119872119881119868119872119868119868 (119872119874119881 119871119872119881119868)119879 (10)

RIVDN The RIVDN represents the similarity betweendevices from the perspective of remote management service


Local Management View Device Network

Remote ManagementView Device Network

Local Information View Device Network

Remote Information View Device Network

Multi-view DeviceNetwork

Device View Service Network

Information View Service Network


Spatial SimilarityRelationships

Remote ManagementRelationships

Service AccessRelationships

Local ManagementRelationships

Device ContainmentRelationships

Information DominationRelationships

Service dominationrelations

Figure 2 Relationship networks constructed in RMMDI

password which means the devices with similar remotemanagement service password are more similar than othersThe network is represented by the adjacency matrix 119860119874119874 119868119877whose values represent the similarity of two devices Thematrix is determined by the following

119860119874119874 119868119877 = 119872119874119881 119877119872119881119868119872119868119868 (119872119874119881 119877119872119881119868)119879 (11)

MVDN The MVDN represents the similarity betweendevices from multiple perspectives which merges the rela-tionships from the local management perspective and theremote management perspectiveThe network is representedby the adjacency matrix 119860119874119874 whose values represent thesimilarity of two devices The matrix is determined by

119860119874119874 = 119860119874119874 119878 sdot 119860119874119874 119868119871 + 119860119874119874 119877 sdot 119860119874119874 119868119877 (12)

where the symbol sdotmeans dot product of two matrices

322 Ultimate Networks The three ultimate networks arealso described as undirected weighted graphs whose adja-cency matrices are constructed from the seven basic relation-ship matrices and five intermediate networks

DVSN The DVSN represents the similarity of servicepermissions from a device perspective which means theservices accessed by similar devices are more similar thanothers The network is represented by the adjacency matrix119860119881119881 119863 whose values represent the similarity of two devicesThe matrix is determined by

119860119881119881 119863lowast = 119872119881119874119860119874119874 (119872119881119874)119879 (13)

119860119881119881 119863 = relationFilter (119860119881119881 119863lowast 120582) (14)

where relationFilter(119866 120582) is the function of filtering edgesfrom the original graph whose parameter 119866 is the originalgraph and 120582 is the ratio of edges to be reserved

As the matrix 119860119881119881 119863lowast is a fully connected matrix inwhich the edges with small weight have negative impacts oncommunity results we use a function relationFilter(119866 120582) tofilter the low weight edges from the network In function119903119890119897119886119905119894119900119899119865119894119897119905119890119903(119866 120582) for any node 119899 in the graph 119866 we onlyreserve the top 120582timesedgeNum(119899) edges with the largest weightIf two edges have the same weight we reserve the edgebetween the node 119899 and the neighbor node with a higherdegree

IVSN The IVSN represents the similarity of servicepermissions from an information perspective which meansthe services with a similar password are more similar thanothers The network is represented by the adjacency matrix119860119881119881 119868 whose values represent the similarity of two devicesThe matrix is determined by

119860119881119881 119868 = relationFilter (119872119881119868119860119868119868 (119872119881119868)119879 120582) (15)

where relationFilter(119866 120582) is the same edges filteringfunction in formula (14)

MVSN The MVSN represents the similarity of servicepermissions from multiple perspectives which merges thesimilarity relationships from the device perspective and theinformation perspective The network is represented by theadjacency matrix 119860119881119881 whose values represent the similarityof two devices The matrix is determined by the following

119860119881119881 = 119860119881119881 119863 + 119860119881119881 119868 (16)


Input nonnegative matrices 119860119881119881 119863 119860119881119881 119868 number of communities 119896 parameters 120582119863 120582119868 120582119863119868Output Service Community Division 119862 = c1 1198882 sdot sdot sdot 119888k(1) Initialize119882VV D ge 0119867119881119881 119863 ge 0119882VV I ge 0119867119881119881 119868 ge 0(2) While Objective function does not converge and the Number of iterations is less thanThreshold do(3) Update119867119881119881 119863 according to Formula (18)(4) Update119867119881119881 119868 according to Formula (19)(5) Update119882VV D according to Formula (20)(6) Update119882VV I according to Formula (21)(7) end while(8) Divide nodes to communities division 119862 = c1 1198882 sdot sdot sdot 119888k according to the coefficient matrix119882VV D

(9) return 119862 = c1 1198882 sdot sdot sdot 119888k

Algorithm 1 Permission community detection algorithm (PCDA)

33 Community Discovery and User-Role Definition Afterbuilding the ultimate networks services can be dividedinto community relations through multi-view clusteringalgorithm where all service permissions are divided into acommunity division119862 = 1198881 1198882 sdot sdot sdot 119888119896Then for each 119888119894 isin 119862a role can be defined correspondingly In this way all networkservice permissions can be naturally assigned to 119896 classeswhere the possible values of 119896 can be determined throughalgorithms such as maximummodule degree

In multiview service community discovery we usethe Pairwise Coregularized NMF clustering algorithm(PCoNMF) proposed in [32] which is based on regularizedjoint NMF The objective function of service communitydiscovery is formulated as follows

119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)

The hypothesis behind PCoNMF is to regularize thecoefficient matrices of the different views to a commonconsensus which is then used for clustering PCoNMF alsoadopts alternating optimization to minimize the objectivefunction The optimization works as follows (1) fix the valueof 119882119881119881 119863 and 119882119881119881 119868 while minimizing 119869 over 119867119881119881 119863 and119867119881119881 119868 then (2) fix the value of 119867119881119881 119863 and 119867119881119881 119868 whileminimizing 119869over119882119881119881 119863 and119882119881119881 119868We repeat the two stepsuntil the iteration threshold is achieved

According to [32] the update rules are as follows

119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)

Hence the permission community detection algorithm isshown as Algorithm 1

4 Experiments and Results

In this section we evaluate our role mining method based onthemulti-domain information of a simulated network whichis the simplification of the inner network of Corporation M

41 Experiment Environment We built a simulation networkfor experiments including a router a firewall an IntrusionPrevention System (IPS) 3 switches (Switch1 Switch2 andSwitch3) 6 servers (WServer DServer FServer GServerOServer and IServer) 3 gate machines (GM1 GM2 andGM3) and 13 terminals (T1 T2 T3 T13) We used aHUAWEI S7706 as the core router three HUAWEI S5700as switches a TOPSEC NGFW 4000-UF as the firewall aTOPSEC IDP 3000 as IPS and computers from Dell and HPas the servers or terminalsThe router enabled 3-layer routingand the firewall were configured with bidirectional accesscontrol lists All the servers and terminals were installedwith different versions of Windows including Windows2003 Server Windows XP and Windows 7 We deployedan entrance guard system including 3 gate machines and aserver (GServer) The gate machines used face recognitiontechnology to determine whether a person can pass or notAn office automation system was deployed on the OServerwhose database was deployed on the DServer We alsodeployed two websites and an FTP using IIS (Internet Infor-mation Services) onWServer IServer and FServer Similarlythe websites depended on the same database deployed on


T1

T8

Switch1Firewall Switch 3

Database Server(DServer)

Web Server(WServer)

Ftp Server(FServer)

IPS

Gate Server(GServer)

OA Server(OServer)

Inner Web Server(IServer)

Gate Machine1Gate Machine3(GM1)

(GM3)

T7

Gate Machine2(GM2)

T13

Building 2

Building 3Building 1

Router

Figure 3 An example network

DServer The physical link relationships among devices areshown in Figure 3

All the devices are distributed in 12 rooms in 3 buildings10 devices are located in building 1 terminal T1 T2 andT3 arein room 1-1 T4 and T5 are in room 1-4 T6 and T7 are in room1-5 Switch1 is in room 1-2 and GM1 is in the hall of building1 (room 1-3) 8 devices are located in building 2 terminals T8and T9 are in room 2-1 T10 and T11 are in room 2-4 T12 andT13 are in room 2-5 Switch2 is in room 2-2 and GM2 is inthe hall of building 2 (room 2-3) 10 devices are located inbuilding 3 router firewall IPS Switch3 and all servers are inroom 3-1 and GM3 is in the hall of building 3 (room 3-2)

There were 34 services in the network including 28management services and 6 business services The manage-ment services were used for device management while thebusiness services were used for corporation business Eachdevice was managed by a management service The routerand switches enabled SSH service The servers and terminalsenabled the Remote Desktop Service In addition the gatemachines enabled web-based management interfaces Thewebsite deployed on WServer provided a web service onport 80 named as WS W which was used to publish publicinformationThe FServer provided an FTP service on port 21named as FS Fwhichwas used byNetworkAdministrators toshare informationTheGServer provided a data transmissionservice on port 8080 named as GS T which was usedto synchronize data between GM machine and GServerThe OServer provided a web service on port 80 named asOS W which was used to document circulation for all usersThe IServer provided a web service on port 80 named asIS W which was used by Server Administrators to shareinformationTheDServer provided a database service on port

1433 named as DS D which was used to provide underlyingsupport for WS W OS W and IS W

There were 33 passwords in the analysis Each serviceexcept for WS W and OS W has a password Besides119873119880119871119871 was added to represent the empty password All theinformation involved is shown in Table 1

There were 13 users involved in analysis named fromUser1 to User13 who used terminals T1 to T13 and knewpasswords T1 M P to T13 M P respectively Using the top-down approaches the network security administrators hadgotten 5 user roles for the business information which werenamed as Ordinary User Server Administrator DatabaseAdministrator NetworkAdministrator and Security Admin-istratorThe role-permission assignments are listed in Table 2

42 Baseline Methods To demonstrate the effectiveness ofour method we compare our approach with two groups ofbaselines The first group comprises 5 clustering methods 2single view methods and 3 multiview methods The secondgroup comprises 4 traditional role mining methods ORCA(OFFIS Role mining tool with Cluster Analysis) CM (Com-plete Miner) HPr (HP Role Minimization) and HPe (HPEdge Minimization)

421 Clustering Methods SP (Spectral Clustering) SP [35] isa classical single view clustering algorithm which makes useof the eigenvalues of the data similarity matrix to performdimensionality reduction before clustering in fewer dimen-sionsThe similaritymatrix is provided as an input consistingof a quantitative assessment of the relative similarity of eachpair of points in the dataset

SymNMF SymNMF [36] is a clustering algorithm basedon NMF which takes a nonnegative and symmetric matrix as


Table 1 Device related information

Device Location Services Password Device Location Services PasswordT1 R1-1 T1 M T1 M P GM2 R2-3 G2 M G2 M PT2 R1-1 T2 M T2 M P GM3 R3-2 G3 M G3 M PT3 R1-1 T3 M T3 M P Switch1 R1-2 S1 M S1 M PT4 R1-4 T4 M T4 M P Switch2 R2-2 S2 M S2 M PT5 R1-4 T5 M T5 M P Switch3 R3-1 S3 M S3 M PT6 R1-5 T6 M T6 M P Router R3-1 R M R M PT7 R1-5 T7 M T7 M P Firewall R3-1 F M F M PT8 R2-1 T8 M T8 M P IPS R3-1 IPS M IPS M P

T9 R2-1 T9 M T9 M P WServer R3-1 WS W - -WS M WS M P

T10 R2-4 T10 M T10 M P DServer R3-1 DS D DS D PDS M DS M P

T11 R2-4 T11 M T11 M P FServer R3-1 FS F FS F PFS M FS M P

T12 R2-5 T12 M T12 M P GServer R3-1 GS T GS T PGS M GS M P

T13 R2-5 T13 M T13 M P OServer R3-1 OS W ndashOS M OS M P

GM1 R1-3 G1 M G1 M P IServer R3-1 IS W IS W PIS M IS M P

Table 2 User role-permission assignments by top-down methods

Roles Service PermissionsOrdinary User WS W OS WServer Administrator WS M FS M GS M OS M IS M DS M IS WDatabase Administrator DS DNetwork Administrator S1 M S2 MS3 M R M FS FSecurity Administrator F M IPS M G1 M G2 M G3 M GS T

an input The matrix contains pairwise similarity values of asimilarity graph and is approximated by a lower rank matrixinstead of the product of two lower rank matrices

PCoSpec (Pairwise Coregularized Spectral clustering)and CCoSpec (Center-wise Coregularized Spectral cluster-ing) Two coregularization schemes are adopted in spec-tral clustering framework [37] PCoSpec utilizes a pairwisecoregularization to enforce the eigenvectors of each pairto be similar and CCoSpec employs the centroid-basedcoregularization to enforce the eigenvectors to be similar witha common center

CCoNMF (Cluster-wise Coregularized NMF clustering)CCoNMF extends NMF for multiview clustering by jointlyfactorizing the multiple matrices through cluster-wise coreg-ularization [32] which enforces the cluster similarity matri-ces to be similar

RMSC (Robust Multiview Spectral Clustering) RMSC[38] is a multiview spectral clustering method based onMarkov chain which explicitly handles the possible noise inthe transition probability matrices associated with differentviews

422Mining BaselineMethods ORCAORCA [11] is the firstrole mining algorithm which uses the hierarchical clusteringtechnology to discover user rolesThe algorithm defines each

permission as an initial cluster first then merges the clustersand forms a role hierarchy

Complete Miner (CM) CM [10] is another classic rolemining algorithm proposed in 2006 It starts by creating aninitial set of roles for the distinct user-permission sets thencomputes all possible intersection sets of the initial roles andoutputs a list of candidate roles

HP Role Minimization and HP Edge Minimization HPRole Minimization (HPr) and HP Edge Minimization (HPe)[14] are the role mining algorithms based on minimumbiclique coverage HPr tries to find a minimal set of roles thatoverride the user-permission assignment relationship whileHPe uses a heuristic method to find the smallest number ofedges of an RBAC system

43 Experiments Setup

431 Scenarios Construction To validate our frameworkand method we built 3 scenarios named as Scenario1 (S1)Scenario2 (S2) and Scenario3 (S3) based on the basic exper-imental environment shown in Figure 3 and assigned usersone ormore user roles which is shown in Table 3We can findout that each user in S1 was assigned only 1 user role whilethey were assigned 2 user roles in S2 In S3 users working


Table 3 User-role assignments in different scenario

Scenario OrdinaryUser

ServerAdministrator

DatabaseAdministrator

NetworkAdministrator

SecurityAdministrator

S1 User1 User2User3 User4 User5 User6 User7 User8 User9

User10User11 User12 User13

S2 All Users User7 User8 User11 User12User13 User4 User5 User9 User10

S3

User1 User2User5 User6

User9User10User13

User4 User7 User8 User11 User12

in one roommay be assigned different user roles which mayintroduce more vulnerabilities to network security

For each scenario we first configured the gate machinesand firewall according to Tables 2 and 3 Spatial accesscontrol lists were added on gate machines making usershave physical access to devices they managed or used whilenetwork access control lists were added on the firewallmaking the terminals have network access to the targetservices

It should be noted that there were potential conflictsamong multi-domain configurations on the semantic levelTake the user User4 in S1 as example User4 was a ServerAdministrator and should not access service DS M and thefirewall had forbidden T4 to access service DS D directlybut T4 was permitted to access service WS M and therewas no firewall between WServer and DServer Thus User4can use T4 to log in WServer remotely first and then accessservice DS D (he can get the password DS D P from theconfiguration files on WServer) This is a typical semanticconflict between the network access control lists Similarlyas User4 had the ability to access DS D physically by enteringthe room 3-1 there is another conflict between the networkaccess control list and the spatial access control list Thoseconflicts may result in extra permissions for users

Then we extracted basic information from the networkand established the necessary relationshipmatrices Note thatthere were 16 space entities 28 object entities 34 serviceentities 32 information entities and 13 user entities in allthe 3 scenarios The relationship matrices 119872119874119878 isin R28times16119872119881119868 isin R34times32119872119874119881 119871 isin R28times34 and119872119874119881 119877 isin R28times34 werethe same in all three scenarios where |119872119874119878|0 = |119872119874119881 119871|0 =|119872119874119881 119877|0 = 28 and |119872119881119868|0 = 34 The matrices 119872119878119878 isinR16times16 and119872119881119874 isin R34times28 varied from scenario to scenariodepending on the configurations of gate machines or firewallFor each space pair (S1 S2) we counted the users who canmove from S1 to S2 under each scenario and set the parameter120576 = 14when constructing thematrix119872119878119878The results showedthat |119872119878119878|0 = 46 in S1 |119872119878119878|0 = 46 in S2 and |119872119878119878|0 = 42in S3 We used the scanner NMAP to get the accessibilityrelationships between devices and services establishing thematrix 119872119881119874 The results showed that |119872119881119874|0 = 549 in S1|119872119881119874|0 = 566 in S2 and |119872119878119878|0 = 548 in S3

Finally we detected the user roles by RMMDI and com-pared the results with the two groups of baseline methods

On the one hand we performed the role mining baselinemethods based on the user-permission assignment (UPA)matrices constructed from the firewall configurations andcompared the results with RMMDI On the other hand westudied the best parameters for each clustering method andthen compared the effectiveness of RMMDI with the clus-tering baseline methods Accuracy and normalized mutualinformation (NMI) [31ndash33 36] were adopted to evaluate thecommunity detection effectiveness of different parameterswhose values both range from 0 to 1 and a higher valuemeans better effectiveness We calculated the accuracy andNMI of different clustering methods with ground truth afterstudying the best parameters for each clustering method Inthe experiments we constructed two ground truthsmanuallyIn one ground truth we divided 21 service permissionsinto 5 roles according to Table 2 In the other groundtruth we combined the roles ldquoDatabase Administratorrdquo withldquoServer Administratorrdquo and classified 21 service permissionsinto 4 roles For one community detection result we com-pared it with the two ground truths and calculated metricsseparately

44 Result

441 Role Mining Results Firstly we performed the baselinerole mining methods based on the firewall configurationsAs the firewall only conducted the network access controllists it can only reflect the accessibility between devices andservices Since each terminal was assigned to a user we canget the 3 different UPA matrices from it As we wanted tofind disjoint service subnets we used 119882 = ⟨1 1 1infininfin⟩as the optimization objective In order to save space only thepermission divisions are shown in Table 4 We found that thepermission divisionswere almost the same as those in Table 2whichmeant that the role miningmethods can find no errorsfrom the top-down approach

Then we also performed the RMMDI on all scenarioswith the role number 119896 = 5100 times for each scenario Themajority of the results were different from the result shownin Table 2 The most frequent result (222 in 300 times) islisted as Table 5 Comparing with Table 2 we counted thenumber of inconsistent classification results of each serviceAll 18 services were classified inconsistently for 572 timesin total And the top 2 services with the most inconsistent


Table 4 Role mining results of baselines on all scenarios

Scenario Method Role Permissions

S1

ORCACMHPrHPe

Role1 WS W OS W

Role2 WS M FS M GS M OS MIS M DS M IS W

Role3 DS DRole4 S1 M S2 MS3 M R M FS FRole5 F M IPS M GS T

S2 HPr

Role1 WS W OS W

Role2 WS W OS W WS M FS MGS M OS M IS M DS M IS W

Role3 WS W OS W DS D

Role4 WS W OS W S1 M S2 MS3 M R M FS F

Role5 WS W OS W F M IPS M GS T

S2

ORCACMHPe

Role1 WS W OS W


Role3 WS W OS W DS DRole4 S1 M S2 M S3 M R M FS FRole5 F M IPS M GS T

S3

ORCACMHPrHPe

Role1 WS W OS W



Table 5 The most common result of RMMDI when k=5

Method Role Permissions

RMMDI

Role1 WS W OS WRole2 WS M FS M GS M OS M IS M DS M IS W DS DRole3 GS TRole4 S1 M S2 MS3 M R M FS FRole5 F M IPS M

classification times were DS D (282 times) and GS T (258times)

Finally we changed the role number 119896 = 4 and performedthe experiments 100 times under each scenario The mostcommon results are shown in Table 6

442 Parameter Study Results We studied the parametersused in RMMDI as well as the baseline clustering methodsWe performed a series of experiments for a series of differentparameters and tried to find out the optimal parameters Theexperiments were conducted under S2 with role number 119896 =4

We first studied the parameters used in baseline meth-ods including 120582119901 119904119901119890119888 in PCoSpec 120582119888 119904119901119890119888 119863 and 120582119888 119904119901119890119888 119868 inCCoSpec and 120582119903119898119904119888 in RMSC With each parameter we set120582 = 005 and studied 30 different values between 0005 and100 When 120582119901 119904119901119890119888 = 015 120582119888 119904119901119890119888 119863 = 8 120582119888 119904119901119890119888 119868 = 1 and

120582119903119898119904119888 = 015 the methods had relatively better effectivenesson the dataset

Then we studied the parameters in PCoNMF andCCoNMF There are 3 parameters 120582119863 120582119868 and 120582119863119868 120582119863 and120582119868 represent the weights of view 119860119881119881 119863 and 119860119881119881 119868 while 120582119863119868is the regularization parameter We studied 27 different ratiosof 120582119863 to 120582119868 between 10 and 002 as well as 10 different valuesof 120582119863119868 between 01 and 10 The experiments were conducted50 times for each pair The results are shown in Figures 4and 5 We found that the parameters 120582119863 and 120582119868 had littleimpact on both the accuracy and NMI when 120582119863120582119868 lt 1 and05 lt 120582119863119868 lt 15 so we used 120582119863 = 1 120582119868 = 3 and 120582119863119868 = 09in the study of 120582 and the clustering experiments shown inSection 443

Finally we studied the parameter 120582 used in RMMDI Weperformed an experiment with a series of 120582 from 005 to 1with step size 05 and observed their impacts on the clustering




RMMDI

Role1 WS W OS WRole2 WS M FS M GS M OS M IS M DS M IS W DS DRole3 S1 M S2 MS3 M R M FS FRole4 F M IPS M GS T

06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150

PCoNMF_ACCPCoNMF_NMICCoNMF_NMICCoNMF_ACC

Figure 4 Evaluating the accuracy and NMI of PCoNMF and CCoNMF on varying 120582119863120582119868

effectiveness (shown in Figure 6) The other parameters wereset as mentioned in the previous paragraph

We found that the curves showed a downward trend inwhole and the accuracy and NMI got greater values when 120582was around 03 which was used for the experiments shownin Section 443

443 Clustering Results We also conducted experiments tocompare the effectiveness of RMMDI with the clusteringbaseline methods We performed all algorithms 200 times oneach scenario and compared results with the ground truthshown in Table 4 All the other parameters were set as theoptimal values mentioned in Section 442 The results arelisted in Tables 7ndash9 in which the results of SP and SymNMF

were the larger result of 3 different inputs 119860119881119881 119860119881119881 119863 and119860119881119881 119868 Most of those values were from the input 119860119881119881 119868

5 Discussion

Wepropose a novel user role framework which uses multipledomain information to mine user roles other than thepreassigned user-permission assignment matrix

It is proved that the framework is suitable for role miningFor the three scenarios used in the experiment different usersare assigned to different user roles One user may be assignedone or more user roles and one user role may be assigned toseveral users For the results listed in Tables 7 and 8 we canfind that the accuracy of the proposed framework is greater


Table 7 Accuracy for different methods on 3 scenarios

Scenario SP SymNMF PCoSpec CCoSpec PCoNMF CCoNMF RMSCS1 09010 09229 07121 09057 09381 09190 06952S2 08981 09276 06675 09072 09428 09365 05762S3 09210 09181 07070 09035 09365 09333 06333

Table 8 NMI for different methods on 3 scenarios


Table 9 Runtime for different methods on 3 scenarios (s)


06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10

PCoNMF_ACCPCoNMF_NMICCoNMF_ACCCCoNMF_NMI


than 935 in all the three scenarios while the NMI is greaterthan 870 It means that the framework can detect userroles from the multiple domain configuration informationsuccessfully

More importantly it is also demonstrated that the frame-work has the ability to find interdependent relationships

between permissions avoiding potential errors From theexperimental results in Section 441 we find that RMMDItends to integrate user roles ldquoDatabase Administratorrdquo andldquoServer Administratorrdquo Analyzing user potential permis-sions it can be found that all Server Administrators canaccess service DS D as they can both reach the service from


04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1

SP_ACCSNMF_ACCPCoSpec_ACCCCoSpec_ACCPCoNMF_ACCCCoNMF_ACCRMSC_ACC

(a) Evaluating the accuracy of RMMDI on varying 120582

0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1

SP_NMISNMF_NMIPCoSpec_NMICCoSpec_NMIPCoNMF_NMICCoNMF_NMIRMSC_NMI

(b) Evaluating the NMI of RMMDI on varying 120582

Figure 6 Evaluating the accuracy and NMI of RMMDI on varying 120582


other servers and get its password from configuration files inWServer Therefore it may be more appropriate to integrateuser roles ldquoDatabaseAdministratorrdquo and ldquoServerAdministra-torrdquo This trend cannot be found by traditional methods

It is also proved that the performances of differentclustering methods vary in the framework As shown inTables 7 and 8 the accuracy and NMI of PCoNMF arealways the best among all the three scenarios 30 betterthan the worst method It means that a reasonable clusteringmethod will promote the effectiveness of the framework sig-nificantly Comparedwith the single view clusteringmethodsPCoNMF promotes the accuracy and NMI by more than1 which means the reasonable utilization of informationfrommultiple views will get more structure information thanfrom single view Both the PCoSpec and RMSC have a loweraccuracy or NMI whichmeans themultiviewmethods basedon spectral clustering may not be suitable to the datasets

There are 4 parameters involved in the RMMDI in totaland it is important to select proper values to the parametersThe first two parameters 120582119863 and 120582119868 are the weights of views119860119881119881 119863 and 119860119881119881 119868 From the results in Figure 4 we find thatthe view 119860119881119881 119868 has more structure information than 119860119881119881 119863in the experiments and it is reasonable to set a larger 120582119868 anda smaller 120582119863 The third parameter 120582119863119868 is the regularizationparameter that indicates the degree of community proximitybetween the two perspectives A too low 120582119863119868 will not establishthe connection between two views Nevertheless as the view119860119881119881 119868 has more structure information than 119860119881119881 119863 a too big120582119863119868 will reduce the accuracy of the algorithm Therefore amoderate parameter 120582119863119868 (05 lt 120582119863119868 lt 15) will make thealgorithm perform better The last parameter 120582 is used inthe function relationFilter(119866 120582) which means to reserve thetop 120582 times 119890119889119892119890119873119906119898(119899) edges with the largest weight From theresults shown in Figure 6 we find that it is vital to reserve anappropriate proportion of links A big 120582will reservemore lowweight links and the existences of lowweight links will impactthe effectiveness of the framework However a low value of 120582will lost a lot of useful structure information which will havean impact on the effectiveness of the algorithm too

6 Conclusion

In this paper a novel framework for role mining based onmulti-domain information named as RMMDI is proposedThe key idea of the framework is to mine user roles frommultiple domain information rather than existing user-permission assignment matrices In the framework infor-mation from the physical domain network domain anddigital domain is used to find the relationships between userpermissions and multi-view community detection methodsare used to integrate information from different domainsExperiments on 3 simulated network scenarios demonstratethat RMMDI can capture the interdependent relationshipsbetween permissions and perform user-role mining moreeffectively and reasonably

Data Availability

The data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

This work is supported by the grants from the National KeyRampD Program of China (Project No 2017YFB0802800)

References

[1] R S Sandhu E J Coyne H L Feinstein and C E YoumanldquoRole-based access control modelsrdquoThe Computer Journal vol29 pp 38ndash47 1996

[2] A Colantonio R D Pietro A Ocello and N V Verde ldquoAformal framework to elicit roles with business meaning inRBAC systemsrdquo in Proceedings of the 14th ACM Symposiumon Access Control Models And Technologies pp 85ndash94 ACMStresa Italy 2009

[3] A Baumgrass M Strembeck and S Rinderle-Ma ldquoDerivingrole engineering artifacts from business processes and scenariomodelsrdquo in Proceedings of the 16th ACM Symposium on AccessControl Models and Technologies pp 11ndash20 ACM InnsbruckAustria 2011

[4] A Colantonio R Di Pietro A Ocello andN V Verde ldquoTamingrole mining complexity in RBACrdquo Computers amp Security vol29 pp 548ndash564 2010

[5] A Colantonio R Di Pietro andN V Verde ldquoA business-drivendecomposition methodology for role miningrdquo Computers ampSecurity vol 31 no 7 pp 844ndash855 2012

[6] S Hachana F Cuppens N Cuppens-Boulahia and J Garcia-Alfaro ldquoSemantic analysis of role mining results and shadowedroles detectionrdquo Information Security Technical Report vol 17pp 131ndash147 2013

[7] M Kuhlmann D Shohat and G Schimpf ldquoRole mining- revealing business roles for security administration usingdata mining technologyrdquo in Proceedings of the Eighth ACMSymposium on Access Control Models and Technologies pp 179ndash186 ACM Como Italy 2003

[8] I Molloy N Li T Li Z Mao QWang and J Lobo ldquoEvaluatingrole mining algorithmsrdquo in Proceedings of the ACM Symposiumon Access Control Models and Technologies pp 95ndash104 2009

[9] J Jiang X Yuan and R Mao ldquoResearch on role miningalgorithms in RBACrdquo in Proceedings of the 2018 2nd HighPerformance Computing and Cluster Technologies Conferencepp 1ndash5 ACM 2018

[10] J Vaidya V Atluri and J Warner ldquoRoleMiner mining rolesusing subset enumerationrdquo in Proceedings of the 13th ACMConference onComputer andCommunications Security pp 144ndash153 ACM Alexandria Va USA 2006

[11] J Schlegelmilch and U Steffens ldquoRole mining with ORCArdquoin Proceedings of the Tenth ACM Symposium on Access ControlModels and Technologies pp 168ndash176 ACM Stockholm Swe-den 2005

[12] I Molloy H Chen T Li et al ldquoMining roles with semanticmeaningsrdquo in Proceedings of the ACM Symposium on AccessControl Models and Technologies SACMAT rsquo08 pp 21ndash30 EstesPark Colo Usa 2008

[13] D Zhang K Ramamohanarao and T Ebringer ldquoRole engineer-ing using graph optimisationrdquo in Proceedings of the 12th ACM


Symposium on Access Control Models and Technologies pp 139ndash144 ACM Sophia Antipolis France June 2007

[14] A Ene W Horne N Milosavljevic et al Fast Exact andHeuristic Methods for Role Minimization Problems 2008

[15] M Frank D Basin and J M Buhmann ldquoA class of probabilisticmodels for role engineeringrdquo in Proceedings of the 15th ACMConference on Computer and Communications Security pp299ndash310 ACM Alexandria Va USA 2008

[16] M Frank A P Streich D A Basin et al ldquoA probabilisticapproach to hybrid role miningrdquo in Proceedings of the AcmConference on Computer amp Communications Security 2009

[17] I Molloy N Li Y Qi et al ldquoMining roles with noisy datardquo inProceedings of the ACM Symposium on Access Control MODELSand Technologies pp 45ndash54 2010

[18] X Du and X Chang ldquoPerformance of AI algorithms for miningmeaningful rolesrdquo in Proceedings of the 2014 IEEE Congress onEvolutionary Computation (CEC) pp 2070ndash2076 2014

[19] L Dong Y Wang R Liu B Pi and L Wu ldquoToward edgeminability for role mining in bipartite networksrdquo Physica AStatistical Mechanics and its Applications vol 462 pp 274ndash2862016

[20] L Wu L Dong Y Wang et al ldquoUniform-scale assessmentof role minimization in bipartite networks and its applicationto access controlrdquo Physica A Statistical Mechanics and itsApplications vol 507 pp 381ndash397 2018

[21] Q Guo J Vaidya and V Atluri ldquoThe role hierarchy miningproblem discovery of optimal role hierarchiesrdquo 2008

[22] A Colantonio R D Pietro and A Ocello ldquoA cost-drivenapproach to role engineeringrdquo in Proceedings of the AcmSymposium on Applied Computing 2008

[23] CW Probst R RHansen andFNielsonWhereCan an InsiderAttack Springer Berlin Germany 2007

[24] CW Probst andR RHansen ldquoAn extensible analysable systemmodelrdquo inElsevierAdvancedTechnology Publications vol 13 pp235ndash246 2008

[25] I KotenkoM Stepashkin and E Doynikova ldquoSecurity analysisof information systems taking into account social engineeringattacksrdquo in Proceedings of the 2011 19th International EuromicroConference on Parallel Distributed and Network-Based Process-ing pp 611ndash618 2011

[26] D Scott A Beresford and A Mycroft ldquoSpatial policies forsentient mobile applicationsrdquo in Proceedings of the 4th IEEEInternational Workshop on Policies for Distributed Systems andNetworks p 147 IEEE Computer Society 2003

[27] TDimkovAlignment of Organizational Security PoliciesTheoryand Practice University of Twente Enschede Netherlands2012

[28] F Kammuller and C W Probst ldquoInvalidating policies usingstructural informationrdquo in Proceedings of the 2013 IEEE Securityand Privacy Workshops pp 76ndash81 2013

[29] D D Lee and H S Seung ldquoLearning the parts of objects bynon-negative matrix factorizationrdquo Nature vol 401 no 6755pp 788ndash791 1999

[30] A Wendel S Sternig M Godec et al ldquoNon-negative matrixfactorization in multimodality data for segmentation and labelpredictionrdquo Computer Vision Winter Workshop 2011

[31] J Liu C Wang J Gao et al ldquoMulti-View clustering via jointnonnegative matrix factorizationrdquo in Proceedings of the 2013SIAM International Conference on Data Mining pp 252ndash2602013

[32] X He M-Y Kan P Xie and X Chen ldquoComment-based multi-view clustering of web 20 itemsrdquo in Proceedings of the 23rdInternational Conference on World Wide Web pp 771ndash782ACM Seoul Korea 2014

[33] Y Pei N Chakraborty and K Sycara ldquoNonnegative matrix tri-factorization with graph regularization for community detec-tion in social networksrdquo in Proceedings of the 24th InternationalConference onArtificial Intelligence pp 2083ndash2089 AAAI PressBuenos Aires Argentina 2015

[34] Z Li Z Pan Y Zhang G Li and G Hu ldquoEfficient communitydetection in heterogeneous social networksrdquo MathematicalProblems in Engineering vol 2016 Article ID 5750645 15 pages2016

[35] U von Luxburg ldquoA tutorial on spectral clusteringrdquo Statistics andComputing vol 17 no 4 pp 395ndash416 2007

[36] D Kuang S Yun and H Park ldquoSymNMF nonnegative low-rank approximation of a similarity matrix for graph clusteringrdquoJournal of Global Optimization vol 62 pp 545ndash574 2015

[37] A Kumar P Rai and H Daume ldquoCo-regularized multi-viewspectral clusteringrdquo Advances in Neural Information ProcessingSystems 2011

[38] R Xia Y Pan L Du et al ldquoRobust multi-view spectral clus-tering via low-rank and sparse decompositionrdquo in Proceedingsof the Twenty-Eighth AAAI Conference on Artificial Intelligencepp 2149ndash2155 AAAI Press Quebec Canada 2014

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


set is assigned to a user role a user assigned some roles isunlikely to get extra permissions assigned to other roles Assuch potential security risks involved in the user-permissionassignments process can be avoided

The rest of this paper is organized as follows In Section 2some general works are briefly reviewed Section 3 presentsthe proposed framework in detail Section 4 shows theexperimental setup and results and Section 5 presents a com-prehensive discussion At last Section 6 provides concludingremarks

2 Related Work

21 Role Mining RBAC has become a dominating model foraccess control in network security Instead of assigning per-missions to the user directly RBAC introduces the conceptof roles to make access control system more compact andcomprehensive [6] A role is defined as a collection of permis-sions The key point of RBAC is to generate proper roles Inthis process the bottom-up approach named as role mininggets muchmore attention than the top-down approach as thelatter is time-consuming and human-intensive [3]

Kuhlmann et al first proposed the concept of role miningfor finding roles from user-permission assignment data [7]Traditional role mining approaches are mainly divided intotwo classes based on their output [5 8 9] The first classis to output a prioritized list of candidate roles each ofwhich is assigned a priority value A larger priority valuemeans the role is more important or useful Complete Miner(CM) and Fast Miner (FM) are two typical algorithms of thefirst class which identify overlapping clusters by analyzingthe subset enumeration in an unsupervised way [10] Thesecond class is to output a complete RBAC state under acertain cost There are also a lot of classic algorithms inthe class for example OFFIS Role mining tool with ClusterAnalysis (ORCA) [11] Hierarchical Miner (HM) [12] GraphOptimization (GO) [13] HP Role Minimization (HPr) [14]and HP Edge Minimization (HPe) [14]

Besides those traditional role mining algorithms thereare also many important approaches that emerged in recentyears For example Frank et al proposed a probabilisticapproach to improve the role mining process by takingaccount of the business information The approach uti-lized the similarity between user-permission relations todetect exceptional assignments and wrong assignments [15]Besides entropy-based methods were used in this approachto analyze the impact of business knowledge on role mining[16] Alessandro et al presented an approach that allowedrole engineers to leverage business information In the rolemining process the access data was divided into smallersubsets from a business perspective firstly and then tradi-tional methods can be used to discover roles with businessmeanings [5] Iran et al proposed a method based on formalconcept lattices to discover roles with semantic meanings[12] as well as a method based on logistic PCA (PrincipalComponent Analysis) to eliminate data noises [17] Du Xand Change X proposed two algorithms based on artificialintelligence ie the genetic algorithm and ant colony opti-mization algorithm [18] Dong et al proposed both fast exact

and heuristic methods based on biclique network cover tominimize role number or edge number [19]

With regard to goodness measure several metrics havebeen proposed in the literature including minimizing thenumber of roles [10 20] minimizing the number of edges[13 14 19] minimizing the number of user-role assignmentand permission-role assignment relations [13] minimizingboth the number of roles and edges [21] and minimizing theadministrative cost [22]These optimization goals can be uni-formly represented by the Weighted Structural Complexity(WSC) [8 9]

Although there are a lot of effective role miningapproaches most of them neglect the relationships betweenuser permissions From the perspective of network securitymanagement user permissions are not independent A useror potential attacker may get extra permissions from thepreassigned permissions which may introduce fatal risksto network security Hence in the framework RMMDIwe model the interrelationships between user permissionsfrom multi-domain configuration information and get morereasonable user roles mitigating the vulnerabilities andstrengthening network security

22 Multi-Domain Information Modeling Traditional net-work security analysis mainly concentrates on the networkdomain with a few concerns on other domains Howeverwith the deepening of research on insider threat an increas-ing number of studies have shown that the attacker will attackthe network not only in digital ways but also through thephysical domain and social domain

The existingmethods of jointmodeling of networkmulti-domain information mainly define multi-domain informa-tion by using the formalized methods and then make infer-ence based on the logical rules to judge whether the systemcan reach the unsafe state Probst et al proposed a formalmodel for describing scenarios that span the physical anddigital domain [23 24] Kotenko et al proposed a model fordescribing attacks that use social engineering and physicalaccess based on the preconditions and postconditions ofatomic actions [25] Scott et al built a security model thatadds a spatial relationship between the elements in theambient calculus [26] Dimkov presented a security modelnamed as Portunes graph to abstract the environment of anorganization into a stratified graph which involved the infor-mation in physical digital and social domain information[27] Kammuller and Probst combined formal modeling andanalysis of infrastructures of organizationswith a sociologicalexplanation to provide a framework for insider threat analysis[28]

In this paper we take possible interaction effects amongmulti-domain permissions into consideration which are thebasis of similar permission finding and role mining based onmultiple domain information

23 Multi-View Community Detection The community is auniversal property in many complex networks which meansthat network nodes can be divided into small groups [26]Traditional community detection methods only utilize singlenetwork information And several multiview community


Basic information

acquisition


construction

Community detection

and role definition



















119872119878119878 (119894 119895) =


(1)



119872119874119878 (119894 119895) =


(2)


119872119881119874 (119894 119895)

=


(3)


119872119874119881 119871 (i j)

=


(4)


119872119874119881 119877 (119894 119895)

=


0 otherwise

(5)


119872119881119868 (119894 119895)

=


(6)


119872119868119868 (119894 119895) =


(7)




119860119874119874 119878 = 119872119874119878119872119878119878 (119872119874119878)119879 (8)


119860119874119874 119877 = 119872119874 119881119877119872119881119874 + (119872119874 119881119877119872119881119874)119879 (9)


119860119874119874 119868119871 = 119872119874119881 119871119872119881119868119872119868119868 (119872119874119881 119871119872119881119868)119879 (10)




















119860119874119874 119868119877 = 119872119874119881 119877119872119881119868119872119868119868 (119872119874119881 119877119872119881119868)119879 (11)


119860119874119874 = 119860119874119874 119878 sdot 119860119874119874 119868119871 + 119860119874119874 119877 sdot 119860119874119874 119868119877 (12)




119860119881119881 119863lowast = 119872119881119874119860119874119874 (119872119881119874)119879 (13)





119860119881119881 119868 = relationFilter (119872119881119868119860119868119868 (119872119881119868)119879 120582) (15)



119860119881119881 = 119860119881119881 119863 + 119860119881119881 119868 (16)







119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)



119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)






T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Basic information

acquisition


construction

Community detection

and role definition



















119872119878119878 (119894 119895) =


(1)



119872119874119878 (119894 119895) =


(2)


119872119881119874 (119894 119895)

=


(3)


119872119874119881 119871 (i j)

=


(4)


119872119874119881 119877 (119894 119895)

=


0 otherwise

(5)


119872119881119868 (119894 119895)

=


(6)


119872119868119868 (119894 119895) =


(7)




119860119874119874 119878 = 119872119874119878119872119878119878 (119872119874119878)119879 (8)


119860119874119874 119877 = 119872119874 119881119877119872119881119874 + (119872119874 119881119877119872119881119874)119879 (9)


119860119874119874 119868119871 = 119872119874119881 119871119872119881119868119872119868119868 (119872119874119881 119871119872119881119868)119879 (10)




















119860119874119874 119868119877 = 119872119874119881 119877119872119881119868119872119868119868 (119872119874119881 119877119872119881119868)119879 (11)


119860119874119874 = 119860119874119874 119878 sdot 119860119874119874 119868119871 + 119860119874119874 119877 sdot 119860119874119874 119868119877 (12)




119860119881119881 119863lowast = 119872119881119874119860119874119874 (119872119881119874)119879 (13)





119860119881119881 119868 = relationFilter (119872119881119868119860119868119868 (119872119881119868)119879 120582) (15)



119860119881119881 = 119860119881119881 119863 + 119860119881119881 119868 (16)







119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)



119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)






T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




119872119878119878 (119894 119895) =


(1)



119872119874119878 (119894 119895) =


(2)


119872119881119874 (119894 119895)

=


(3)


119872119874119881 119871 (i j)

=


(4)


119872119874119881 119877 (119894 119895)

=


0 otherwise

(5)


119872119881119868 (119894 119895)

=


(6)


119872119868119868 (119894 119895) =


(7)




119860119874119874 119878 = 119872119874119878119872119878119878 (119872119874119878)119879 (8)


119860119874119874 119877 = 119872119874 119881119877119872119881119874 + (119872119874 119881119877119872119881119874)119879 (9)


119860119874119874 119868119871 = 119872119874119881 119871119872119881119868119872119868119868 (119872119874119881 119871119872119881119868)119879 (10)




















119860119874119874 119868119877 = 119872119874119881 119877119872119881119868119872119868119868 (119872119874119881 119877119872119881119868)119879 (11)


119860119874119874 = 119860119874119874 119878 sdot 119860119874119874 119868119871 + 119860119874119874 119877 sdot 119860119874119874 119868119877 (12)




119860119881119881 119863lowast = 119872119881119874119860119874119874 (119872119881119874)119879 (13)





119860119881119881 119868 = relationFilter (119872119881119868119860119868119868 (119872119881119868)119879 120582) (15)



119860119881119881 = 119860119881119881 119863 + 119860119881119881 119868 (16)







119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)



119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)






T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia




















119860119874119874 119868119877 = 119872119874119881 119877119872119881119868119872119868119868 (119872119874119881 119877119872119881119868)119879 (11)


119860119874119874 = 119860119874119874 119878 sdot 119860119874119874 119868119871 + 119860119874119874 119877 sdot 119860119874119874 119868119877 (12)




119860119881119881 119863lowast = 119872119881119874119860119874119874 (119872119881119874)119879 (13)





119860119881119881 119868 = relationFilter (119872119881119868119860119868119868 (119872119881119868)119879 120582) (15)



119860119881119881 = 119860119881119881 119863 + 119860119881119881 119868 (16)







119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)



119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)






T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia








119869 = 120582119863100381710038171003817100381710038171003817119860119881119881 119863 minus119882119881119881 119863 (119867119881119881 119863)T100381710038171003817100381710038171003817

2

119865

+ 120582119868100381710038171003817100381710038171003817119860119881119881 119868 minus119882119881119881 119868 (119867119881119881 119868)T100381710038171003817100381710038171003817

2

119865

+ 12058211986311986810038171003817100381710038171003817119882119881119881 119863 minus119882119881119881 11986810038171003817100381710038171003817

2

119865

119904119905 119867119881119881 119863 ge 0 119867119881119881 119868 ge 0

(17)



119867119881119881 119863 larr997888 119867119881119881 119863 sdot (119882119881119881 119863)119879119860119881119881 119863

(119882119881119881 119863)119879119882119881119881 119863119860119881119881 119863(18)

119867119881119881 119868 larr997888 119867119881119881 119868 sdot (119882119881119881 119868)119879119860119881119881 119868

(119882119881119881 119868)119879119882119881119881 119868119860119881119881 119868(19)

119882119881119881 119863 larr997888

119882119881119881 119863 sdot 120582119863119860119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119868

120582119863119882119881119881 119863119867119881119881 119863 (119867119881119881 119863)119879 + 120582119863119868119882119881119881 119863(20)

119882119881119881 119868 larr997888

119882119881119881 119868 sdot 120582119868119860119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119863

120582119868119882119881119881 119868119867119881119881 119868 (119867119881119881 119868)119879 + 120582119863119868119882119881119881 119868(21)






T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



T1

T8



Web Server(WServer)

Ftp Server(FServer)

IPS


OA Server(OServer)



(GM3)

T7

Gate Machine2(GM2)

T13

Building 2


Router



































ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


























ServerAdministrator







S3


User9User10User13








44 Result






S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





S1

ORCACMHPrHPe

Role1 WS W OS W



S2 HPr

Role1 WS W OS W





S2

ORCACMHPe

Role1 WS W OS W



S3

ORCACMHPrHPe

Role1 WS W OS W





RMMDI












RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia





RMMDI


06

065

07

075

08

085

09

501 401 301 201 151 101 91 71 51 31 11 12 13 15 17 19 115 120 125 130 140 150







5 Discussion










06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia









06

065

07

075

08

085

09

01 02 03 04 05 07 09 1 15 3 5 7 9 10







04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1



0

01

02

03

04

05

06

07

08

09

1

005 01 015 02 025 03 035 04 045 05 055 06 065 07 075 08 085 09 095 1








6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






6 Conclusion


Data Availability




Acknowledgments


References











































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


rmmdi: a novel framework for role mining based on the

Documents