Enhanced Adaptable and Distributed Access Control Decision Making Model Based on Machine Learning for Policy Conflict Resolution in BYOD Environment

Abstract

Organisations are adopting new IT strategies such as “Bring Your Own Device” (BYOD) and remote working. These trends are highly beneficial both for enterprise owners and employees in terms of increased productivity and reduced costs. However, security issues such as unauthorised access as well as privacy concerns pose significant obstacles. These can be overcome by adopting access control techniques and a dynamic security and privacy policy that governs these issues where they arise. Policy decision points in traditional access control systems, such as role-based access control (RBAC), attribute-based access control (ABAC), or relationship-based access control (ReBAC), may be limited because the status of access control can vary in response to minor changes in user and resource properties. As a result, system administrators rely on a solution for constructing complex rules with many conditions and permissions for decision control. This results in access control issues, including policy conflicts, decision-making bottlenecks, delayed access response times and mediocre performance. This paper proposes a policy decision-making and access control-based supervised learning algorithm. The algorithm enhances policy decision points (PDPs). This is achieved by transforming the PDP’s problem into a binary classification for security access control that either grants or denies access requests. Also, a vector decision classifier based on the supervised machine learning algorithm is developed to generate an accurate, effective, distributed and dynamic policy decision point (PDP). Performance was evaluated using the Kaggle-Amazon access control policy dataset, which compared the effectiveness of the proposed mechanism to previous research benchmarks in terms of performance, time and flexibility. The proposed solution obtains a high level of privacy for access control policies because the PDP does not communicate directly with the policy administration point (PAP). In conclusion, PDP-based ML generates accurate decisions and can simultaneously fulfill multiple massive policies and huge access requests with 95% Accuracy in a short response time of around 0.15 s without policy conflicts. Access control security is improved by making it dynamic, adaptable, flexible and distributed.

1. Introduction

Bring Your Own Device (BYOD), the concept of employees bringing their own devices to the workplace has become common in recent years due to the widespread use of smartphones, smart watches, laptops and tablets. BYOD strategies have produced substantial benefits for businesses, such as reduced organisational costs and enhanced productivity when employees use their devices. BYOD policies and access control technology are critical for defining restrictions and rights to prevent unauthorised users from accessing the corporate network and its resources. Such controls attempt to prevent actions that could result in a security breach and ensure the confidentiality, availability, integrity, and privacy of users and their data within the organisation [1]. However, numerous obstacles exist to successfully implementing BYOD policies and access control solutions. Security is one of the most challenging obstacles to overcome. This difficulty is exacerbated by the dynamic nature of BYOD access control systems and by policy consistency [2]. For instance, in a BYOD scenario at a university, there are numerous devices for students and employees across multiple departments and colleges with numerous separate campus branches, as well as a considerable number of massive entities that access requests at the same time on the university server to request resources and services. The existing access control policies are rigid due to their reliance on specific attributes and a limited number of entities and policy sizes. However, the access control state could vary with minor changes to user and resource variables. Therefore, to manage this issue, system administrators rely on complicated rules with numerous criteria and limits or roles, many permissions, and the creation of increasingly detailed rules. These solutions raise many issues when creating increasingly fine-grained rules, such as policy conflicts, role explosion, bottlenecks in performance-access decision-making, and delays in access response that may cause system vulnerabilities and be exploited by attackers.

The most significant challenges that motivated this paper are policy conflicts, which are bottlenecks at the policy decision point for making the right decision due to the dynamic, complex nature of the BYOD environment and changes in the attributes of the subject and the object. Therefore, it is necessary to design policy decisions based on dynamic and adaptable technologies that should not be subject to a static policy. The additional problem is that traditional access does not meet security requirements due to the decentralised architecture of the BYOD environment, which comprises multiple departments located on separate campuses, resulting in high access time costs, performance bottlenecks, and limited access requests and policy sizes. As a result, a system that distributes access decisions to multiple nodes and responds in parallel to access requests should be designed to reduce time costs, achieve elevated levels of privacy, transparency, and security and achieve decentralised operations, as well as resolve administrative and organisational complications. Distributed access is also known as “lightweight access control” since it reduces overhead by making single sign-on decisions based on attributes. Therefore, it is necessary to implement distributed access control, and access decision-making should be distributed across multiple node locations to reduce the time of access requests and ensure the privacy of access control policies.

This paper enhances an access control decision-making model based on supervised machine learning to address the existing challenges. This is done by transforming access requests and PDP problems into a binary classification, either denial or approval. The solution employs supervised learning algorithms, but the random forest algorithm is the most accurate and effective at predicting the access decision. It also provides a distributed PDP of access control through a distributed implementation algorithm. The following steps should be taken to successfully implement the proposed solution: dataset balancing, attribute, and feature dimension reduction, building a training-testing model, and building a decision-making model. To evaluate the strategy’s effectiveness, this paper uses the Kaggel Amazon access control policy dataset and many experiments before and after the dataset balancing phase. There are two methods for evaluating performance metrics: firstly, contrasting the performance of policy decision-making, the flexibility of access control and the processing time of various machine learning (ML) algorithms. Second, comparing benchmark performance and time with previous methods determines the solution’s effectiveness. The experimental findings indicate that the suggested solution can achieve an Accuracy of 95% in policy decision-making, and the time cost of PDP-based ML technology is 0.15, measured in seconds as the scale of policy increases. This research makes several contributions, including:

• Analyse and evaluate existing decision-making approaches in access control.
• Enhance access control decision-making based on the attribute-based access control (ABAC) model to solve the abovementioned problems. In particular, a permission determination engine based on machine learning is proposed. The authorization request for PDP issues is classified as a binary classification either authorized or denied.
• Improve the current access control by modifying the policy decision point (PDP) to be distributed and dynamic based on machine learning (ML) technology instead of an access decision based on predetermined rules and a centralized structure.
• Optimise the Accuracy of PDP-based ML technology by balancing the data set and conducting numerous experiments before and after data processing to determine the optimal strategy.
• Conducted an extensive evaluation of the solution using the Amazon access control policy dataset, which provides strong evidence of its effectiveness and robustness.
• Compare the proposed method to other machine learning methods applied to the same dataset. The solution’s effectiveness can also be measured by (benchmark metrics) PDP performance and cost time for access decision-making using several state-of-the-art methods.
• Introduce a solution that can protect and preserve policy information privacy during permission decisions through the policy decision point, which is independent of policy administration. It implies that the PDP and PAP are primarily independent. Also, it could provide secure, efficient, and lightweight access control.

The remaining sections of the paper are organised as follows: Section 2 discusses the motivation and problem statement. In Section 3, the background and related concepts are described. Next, Section 4 reviews relevant studies on access control and decision-making techniques. Section 5 proposes a model and explains the implementation steps in detail. Section 6 explains and analyses the experiments. Next, Section 8 includes the Discussion and finally, the conclusion is included in Section 9.

2. Motivation and Problem Statement

This work in this area is motivated by fundamental concepts and knowledge gaps. Traditional policy-based access control systems have limitations in a complex and dynamic environment where user and resource characteristics change. First, system administrators create complicated rules with numerous conditions and permissions. Secondly, they create increasingly fine-grained regulations, resulting in policy conflicts, rule explosions and a slowdown in policy decision-making when expanding the scope of policies in conventional access control systems degrades their performance. In addition, there is another challenge related to privacy concerns when the policy decision point (PDP) directly communicates with the policy administration point (PAP) to generate access decision-making in the same access process, as there is a possibility of vulnerability and penetration. Therefore, direct communication between PDP and PAP should be avoided.

The current access control PDP is a centralised, multi-value logic system. When increasing the number of entities or expanding the scope of the policies, efficiency decreases. Consequently, the access control system’s performance will be impeded, as will the core business system’s normal functioning. Due to these flaws, the current access control system is insufficient, resulting in security issues such as attacks, expensive administration, policy conflicts, decision-making delays and poor performance. Therefore, an access control system should be adaptable enough to address complex and dynamic access control states and make appropriate decisions regarding unexpected access control requests. Implementing access decision-making distributed to multiple nodes is necessary, which reduces cost and is not limited by the number of policies and requests. In addition, it achieves a high level of privacy and delivers high-performance decisions promptly when distributing them.

3. Background and Related Concepts

This section overviews the fundamental concepts necessary to comprehend the proposed model’s architecture and components.

3.1. Access Control Models

Access control ensures that only authorised users are granted the appropriate access permissions to protect system resources’ privacy and integrity. There are two types of access control models, which are traditional and dynamic [3]. Traditional approaches to access control rely on policies that are inflexible and static. These policies are predetermined and always produce the same result, regardless of the circumstances. Consequently, this rigid approach to making access decisions is inflexible in changing and variable conditions [4]. Three primary traditional access control models exist: Discretionary Access Control, Mandatory Access Control and Role-based Access Control (RBAC).

Discretionary Access Control (DAC) models were created for multi-user databases and systems with a few previously known users. The user has complete control over every system resource. DAC gives access based on the identity and authorization of the user, as specified by open policies. Any user can be granted access to a resource by its owner [3]. The Mandatory Access Control model (MAC) is concerned with the security and integrity of information and is primarily employed in military and government applications. In MAC, a security policy administrator controls the policy, and the user cannot override it [3]. Next, Role-based Access Control (RBAC) consists of three components: users (subjects requesting access), roles (permission collection) and operations (actions on the target resource). Access permissions are associated with roles, and the proper role is assigned to the user. A user can be associated with one or more roles, and a role can contain one or more users. RBAC enables the categorization of users according to their jobs [5]. Dynamic access control models are distinguished by their use of access policies and dynamic contextual variables that are assessed in real-time at the moment of the request [6].

3.2. Access Control Components

This section explains the essential access control components [7], briefly described below:

• Policy Enforcement Point (PEP): receives requests for entry to resources and forwards them to the Policy Decision Point (PDP), where access decisions are made. PEP executes the access decisions that PDP has transmitted. It ensures the fulfillment of obligations that PDP might include in access determinations.
• Policy Decision Point (PDP): examines user access and makes decisions about access based on attributes that describe the parts of the access request (subject, resource and action) and relevant access control policies.
• Policy Information Point (PIP): is the provider of characteristics PDP requires to assess access requests against ABAC policies. PIP captures information on the subject, relevant resource and environment where access requests occur and presents these attributes to the PDP via the context handler during access decision-making.
• Policy Administration Point (PAP): enables policy management features, including adding, removing and updating access policies. Additionally, it stores the access policies that the policy administrator has set.
• Attributes: these differentiate the underlying entities in access control. They consist of an attribute name, a value and types of attributes, shown in the following diagram (subject, resource, operation and environment). The “subject” attribute describes the access requester’s attributes. The term “resource” refers to the informational characteristics of a currently available resource. “Operation” indicates the operation attribute when defining how a subject interacts with a resource. The environment attribute describes the environment for access control, such as time, location, etc.
• Policies: a policy on access control describes the rules governing the access of subjects to resources. It is a physical expression of the subject’s authorised behaviour towards the resource, also known as access control policy (subject-tuple, resource-tuple, operation-tuple, environment-tuple, state). This state determines whether access is allowed or refused.
• Access Request: describes the user, the resource and the requested action. One way it can be carried out is with a formal request for access, which could be a subject-, resource-, or operation-tuple.
• Access Decision-Making: The final decision on whether users should be granted or refused access to an associated object will be based on the specific policy evaluation context.

4. Related Work

The relevant literature can be divided into two primary categories. First, priority is given to enforcing policy decision points (PDP) based on role, highlighting a research problem in traditional access control systems, such as inflexibility and static policies. When the scope of policies is expanded, access control decision implementation is impeded, causing role explosion and policy conflicts that result in increased maintenance costs. The second section discusses machine learning-based policy decision point enforcement, mainly how using machine learning techniques in access control decision-making has resolved issues with conventional access control. However, existing policy decision point enforcement-based ML methods have limitations, such as performance bottlenecks that result in poor PDP performance and high time costs.

4.1. Role-Based Policy Decision Point Enforcement

This section summarises relevant research on access decision enforcement strategies. The proposed access decisions in access control systems are based on rigid constraints and static roles and they do not provide BYOD users with extended and flexible access capabilities. Lee et al. [8] proposed an access control system based on MDM. The access decision can be implemented using the administration’s predefined static policies. This PDP lacks adaptability and dynamism, resulting in higher maintenance costs for unanticipated requests. Yanson in [9] found that in BYOD-enabled educational networks, WPA2-enterprise authentication is used for integrated access control, and a predetermined rule governs access decision implementation. Also, Gkamas et al. [10] introduced a secure access control policy for the Greek Schools Network to grant network access.

The implementation of access decision-making was predicated on static considerations such as identity verification. Oluwatimi et al. [11] introduced a proximity-based access control system that employs accelerometers and fingerprint sensors to implement access decisions in BYOD. Biometrics authentically evaluate users’ behavioural and physiological characteristics to determine whether access should be granted or denied. Seneviratne and Senaratne in [12] implemented an access control solution that integrates with existing authentication systems to manage BYOD access to network services, where the implementation of the access decision is based on predefined policies for an individual user or group.

Researchers on these approaches concentrate on making access decisions based on predetermined and fixed rules. In complex and dynamic environments where access request status is susceptible to minor changes in user attributes and resources, implementing the PDP in traditional access control systems has limitations. To address these limitations, system administrators should create more complex rules with expanded permissions, which results in rule bombing, policy conflicts, access control system errors, and increased maintenance costs. Therefore, a PDP’s access control should be enhanced to accommodate complex access control situations and make appropriate decisions in response to an unanticipated access request.

4.2. Machine Learning-Based Policy Decision Point Enforcement

It has been determined that machine learning positively affects access control and has tremendous potential for further development. Machine learning is increasingly being used for security purposes. Furthermore, access control based on machine learning has been implemented in various contexts, including policy decision-making, verification and testing, administration and monitoring and policy extraction. This research will focus primarily on how machine learning is used in access decision-making, how it improves system performance and how it resolves related problems in the traditional PDP of access control.

In addition, research efforts in [13,14,15,16,17] employed the machine learning technique for more accurate access control decision-making. These systems decide access based on a trained machine learning model that uses information about users and resources to determine whether access requests should be granted or denied. Furthermore, a machine-learning model can be trained to make future access decisions based on the metadata and characteristics of users and resources. Wang et al. [14] introduced a new method of access control named “time constraint access control” that can be used to implement policies that restrict user access based on the passage of time. The authors employ support vector machines (SVM) to implement the proposed technique and divide the procedures into three distinct phases: (1) input pattern modification; (2) SVM training; and (3) authority determination. First, the system administrator selects each user’s unique login time and password as part of the training data. Then, using only their passwords and the timestamps of their system logins, trained SVMs can classify users into groups and grant them the appropriate security privileges. Instead of relying on predefined access controls, trained SVMs are used to make security decisions. However, this access decision solution is limited to time-limited access regulations to implement the access decision and needs to consider the dynamics of policy problem-solving.

Cappelletti et al. [13] suggested a method for determining access control decisions based on access history. The authors employed a variety of ML techniques, including support vector machines (SVM), decision trees (DT), random forests (RF) and multi-layer perceptrons (MLPs). The solution does not address PDP issues. Khilar et al. [16] provide a trust-based mechanism for granting access to cloud resources based on authorization behaviour and history. In addition, this approach considers additional criteria, such as user behaviour, fake requests, unapproved requests, prohibited requests, and range specifications. The solution does not address performance bottlenecks or unexpected access requests.

Srivastava et al. [17] implemented a Risk access control (RAAC) system that checks the requester, calculates risk and acts on access decisions accordingly, considering access time, location, frequency of requests and resource sensitivity. The experiments used RF technology and a hidden two-layer neural network on a hospital management system (HMS). Karimi et al. [15], an adaptive ABAC policy-learning approach to automate decision-making. The authors present a method that predicts policies based on the attributes of access requests and then executes the access decision using an Epsilon Greedy-based reinforcement learning algorithm. However, a PDP performance of around 59% was unsatisfactory and this method did not consider access response time.

Nobi et al. in [18] introduced “deep learning-based access control” (DLBAC) that uses a black-box neural network to decide access decisions with an Accuracy of 88.5 percent. Karimi et al. in [19] suggested a method for identifying patterns in access logs and deriving ABAC authorization rules from these patterns using k-mean and k-mode, an unsupervised learning algorithm with a high level of performance. However, the access decision time is prolonged. Mingshan et al. in [19] suggested a decision-making-based Boosting Window (BW) algorithm for constructing an access control knowledge graph using user and resource attributes with approximately 89.64 percent performance. However, it did not address access decision time.

Even though machine learning techniques have improved the dynamics of access control decision-making, there are still issues with access decisions, such as PDP bottlenecks, delayed access decision times and the inability to respond to unexpected access, which means access requests whose attributes are not predefined cannot be granted. This paper will propose a supervised machine learning technique for generating dynamic access control decisions with high performance and reduced time costs. When a conflict or PDP bottleneck occurs, this technique transforms the problem of policy decision points (PDPs) into an easily understood binary that accepts or denies access requests. The paper will investigate how prior research has influenced access control decision-making based on essential criteria for making the correct decision in the shortest amount of time and with the highest level of performance.

Table 1. Evaluation of PDP in Access Control Approaches.

Ref	Application	Dynamic	Distributed	Free-Conflict	PDP Performance	Access Decision Time	ML Approach
[8]	BYOD	✗	✗	✗	✗	✗	✗
[9]	BYOD	✗	✗	✗	✗	✗	✗
[10]	BYOD	✗	✗	✗	✗	✗	✗
[11]	BYOD		✗	✗	✗	✗	✗
[12]	BYOD	✗	✗	✗	✗	✗	✗
[13]	Not specified		✗	✗	✗	✗
[14]	Not specified		✗	✗	✗	✗
[15]	IoT		✗	✗	✗
[16]	Cloud		✗	✗	✗	✗
[17]	Healthcare, Airport				✗	✗
[18]	Not specified		✗	✗		✗
[20]	Not specified		✗			✗
[19]	BYOD		✗	✗		✗

shows the evaluation of policy decision points (PDPs) based on the criteria of dynamic, distributed, conflict-free, performance, access decision time and machine learning use.

• Dynamic: dynamic decision-making is dependent decision-making that occurs in a changing environment over time, whether due to the decision-makers actions or external factors outside the decision-makers control.
• Distributed: a distributed access control that distributes access decisions to multiple nodes and responds to access requests in parallel to reduce time costs and achieve high levels of privacy, transparency and security [21]. It is a lightweight access control system that reduces access control overhead by making decisions with a single login based on attributes. In addition, distributed systems result in decentralised operations and administrative and organisational complications [22].
• Free-Conflict: to prevent the decision-making process of access control from issuing decisions due to policy conflicts caused by increased rules, the number of entries, massive simultaneous access requests and unexpected requests with attributes that differ from PAP and PIP policies [23].
• PDP Performance: perform the correct, accurate decision-making to issue the access request, either allow or deny, in the shortest time possible while keeping the system secure from incorrect decision-making [24].
• Access Decision Time: the processing time for access requests to enforce an access decision. If it is considerable, it will have a damaging effect on security access control [25].
• ML-Based: decision-making relies on ML technologies to determine whether to grant or deny access.

According to Table 1, previous research efforts to enhance decision-making were limited and did not consider all criteria or access control issues. Therefore, this study will enhance access control decision-making by applying ML technology to make permission decisions that are distributed, accurate and dynamic, with a low access response time and high performance.

5. Proposed Model

This section discusses the proposed policy decision point (PDP) for access control based on machine learning (ML) and the differences between the suggested approach and previous methods. Besides that, the question of how access decisions can be made more dynamic, distributed, effective and accurate will be discussed.

5.1. Comparison of Traditional PDP in Access Control vs. Proposed PDP-Based ML Technology

This section outlines how the policy decision point (PDP) functions in conventional access control and explains how this research intends to address the shortcomings of conventional methods by rendering them more flexible, dynamic and secure. As seen in Figure 1, the typical access decision-making technique in policy decision points (PDP) performs logical functions on the access request until it is confirmed to comply with the suggested control policies. The procedure is outlined below.

• Policy Enforcement Point (PEP) transmits a request for access to the policy decision point (PDP) for the desired resource.
• The PDP resolves the request’s attributes after receiving access requests from PEP. This should match the policy associated with the request at the policy administration point (PAP).
• As a final response, The Policy Administration Point (PAP) inquiries the pertinent policy set from all policy sets and returns the combination policies to the policy decision point. Then, if the final response is allowed, the user has direct access to the specified resource. Conversely, the user is refused access to the specified resource if the outcome is denied.

The classic PDP technique suffers from several issues. One of these is the bottleneck in PDP performance, which has four primary causes:

• A significant increase in access control rules and the parallel entry of an enormous amount of user requests that exceed the capacity of the policy decision point (PDP),
• Matching the access request attributes from the massive policy administrative point (PAP) to make an access decision This becomes more difficult and time-consuming to manage as the policy’s scope expands.
• The traditional method determines authorization according to the logical outcome of both the guidelines and the access request. There is a one-to-many relationship between access requests and multiple policies, so an increase in the number of inquiries may result in conflicts between authorization decisions and policies.
• Direct communication between the PAP and the PDP may compromise the PAP’s privacy and violate policies, resulting in the PDP granting access to unauthorised users.

This study presents a distributed, adaptable and dynamic PDP approach to access control based on ML for making effective authorization decisions to address the abovementioned issues. Figure 2 illustrates the proposed method. Policy decision points (PDPs) are trained using current access control policies in order to make an offline authorization decision, which is labelled “Train Offline Point” in Figure 2. During permission decisions, there is no interaction between the PDP and the actual policy in the PAP. To protect the privacy and security of PAP, the administration of the policy and the determination of permission are generally autonomous. At the same time, there is no necessity to query associated access control policies. during the permission determination process, which may be delivered and executed independently of the regulations. A light, effective and reliable access control system is provided instead. The suggested model supports multiple permission decision architectures, which are flexible mapping methods that can improve access control decision-making performance in a BYOD environment. The following points describe the foundations upon which the proposed model is constructed.

• Cascade and Distributed Architecture: a composite permission decision structure sequentially execute sub-permission decision engines. This architecture can be used when companies need cross-domain data access. Policy data from security organisations train decision algorithms. Cross-domain resources are restricted to users [26].
• Parallel Architecture: a composite authorization decision structure lets each sub-authority decision engine operate simultaneously and synchronously without dependence. Permission decisions are improved by diverting massive concurrent access requests with this parallel structure. Multiple decision-making processes reduce the likelihood of a system failure and increase system performance [27].
• Conditional Structure: a composite permission decision structure conditionally restricts sub-permission decision engine execution. As a result, the level of business engagement can determine the sub-permission decision algorithm. In addition, the decision structure can be used more frequently since the sub-permission decision engines work independently [24].

5.2. An Enhanced Distributed and Adaptable PDP Model Based on ML Technology for Access Control

Figure 3 shows the general structure of the model of an enhanced PDP algorithm for access control using machine learning. The overall architecture consists of models for feature extraction and processing, training models, testing models and making authorization decisions. During the processing and extraction of the properties of the data sets, access control regulations were converted into vectors for evaluating the policies in the form of a single attribute. After the training and validation model, this attribute was used to determine access decisions for access requests.

5.2.1. Balancing Access Control Policy Datasets

The actual access policy set is an imbalanced data set. In a dataset of access policies, there can be substantial variation in the number of policies permitted and denied. For example, the number of approved policies in Kaggal Amazon’s access control dataset is more significant than that of refused policies. The model’s performance will suffer if these unbalanced datasets are used. Samples representative of the entire population can be generated using adaptive synthetic sampling (ADASYN). The computation procedure is detailed below.

• Determine the degree of imbalance between the minority group (policies denied as $M_{\mathrm{d}}$) and the majority group (policies allowed as $M_{\mathrm{a}}$) by using this equation, where B indicates the degree of imbalance.

  $$B=\frac{M_{\mathrm{d}}}{M_{\mathrm{a}}},B\in [0,1].$$

  (1)
• Compute quantity of dataset that should be synthesised. When $\alpha =1,GN$ equals the ratio between the denied policies dataset (minority group) and the allowed policies dataset (majority group). In this step, the numbers from the minority and majority groups are accurately balanced within the synthesised dataset.

  $$GN=\alpha (M_{\mathrm{a}}-M_{\mathrm{d}}),\alpha \in [0,1].$$

  (2)
• Each sample from the minority group has F neighbours, where F is determined by Euclidean distance and $N_{\mathrm{a}}$ is the quantity of samples from the majority group within F neighbours.

  $$e_{\mathrm{i}}=\frac{N_{\mathrm{a}}}{F},e_{\mathrm{i}}\in [0,1].$$

  (3)
• Compute the number for the majority group within the minority group

  $$\stackrel{⏜}{e_{\mathrm{i}}}=\frac{e_{\mathrm{i}}}{{\sum }_{i=1}^{m_{\mathrm{a}}}{e}_{\mathrm{i}}},\sum _{i=1}^{m_{\mathrm{a}}}{e}_{\mathrm{i}}=1.$$

  (4)
• Determine the number of samples that should be synthesised for each minority group.

  $$g{n}_{\mathrm{i}}=\stackrel{⏜}{e_{\mathrm{i}}}·GN.$$

  (5)
• When performing data synthesis (SY), choose one minority group sample ($v_{\mathrm{zi}}$) from the K samples that are closest to each minority group sample ($v_{\mathrm{i}}$). (K = number of nearest neighbours).

  $$S{Y}_{\mathrm{i}}=v_{\mathrm{i}}+\beta ·(v_{\mathrm{z}\mathrm{i}}-v_{\mathrm{i}}),\beta \in [0,1].$$

  (6)

5.2.2. Chi-Square Algorithm for Feature Selection

In the chi-square algorithm, finding an important feature is challenging because the key features that deal with a particular data set need to be chosen. Furthermore, the number of features in this algorithm needs to be initialised because the most valuable feature is not yet known. To overcome this challenge, computations were performed multiple times. Firstly, the computation was performed on one independent feature and the outcomes were checked. After that, the same task was performed on two independent features until all features were checked against.

“Observed frequency” = number of class observations. “Expected frequency” = number of expected observations of class if the feature and the target had no relationship. The formula for calculating the standard score of sample x is:

$$x^2=\frac{{(Observedfrequency-Expectedfrequency)}^2}{Expectedfrequency}$$

(7)

“Observed frequency” = Number of class observations “Expected frequency” = Number of expected observations of class if the feature and the target had no relationship. The formula for calculating the standard score of sample x is:

$$z=\frac{(x-\mu )}{s}$$

(8)

The features obtained from the Chi-square algorithm were then scaled using a standard. Where $\mu$ is the mean of the training samples or “0” if with mean = False, s is the standard deviation of the training samples, or “1” if with standard deviation = False.

5.2.3. Model Training

The random-forest (RF) ensemble learning method is especially beneficial for constructing predictive models for classification and regression issues. Multiple learning models were trained concurrently using a group learning strategy to improve the Accuracy of predictions. Random Forest builds a whole forest of uncorrelated classification and regression trees to predict optimal outcomes.

1.

Repeat sampling with replacement was carried out on the complete training set Sample. The entire training set was partitioned into z subsets: Subsets 1, 2, 3…Subset z − 1. A subset n is the total number of datasets in the entire set and its subsets.

2.

Each subset used for training has its own classification and regression tree (CART) and decision tree. In particular, m features were selected randomly from the complete set of attribute properties. After that, the optimal feature was applied from m to perform the division. Next, the new tree’s node was subdivided according to the GINI value for the current m − 1 properties. Finally, GINI impurities were applied to the new tree nodes until the leaves of the tree could not be divided any further.

3.

There are obtained L classification and regression tree (CART) decision trees that correspond to train data of subsets. Every CART tree will produce one decision outcome for the input parameter ($T_{\mathrm{i}}$). For example, if the decision result was access-allowed, the tree’s Decision Result ($T_{\mathrm{i}}$) value was 1.0. The aggregate vote then generated the conclusions reached by each of the decision trees in their totality.

$$Vote\left(v\right)=\sum _{i=1}^{L}ResultDecision\left(T_{\mathrm{i}}\right)$$

(9)

4.

The final authorization decision formula was obtained based on the input user characteristics as follows:

$$Authorization\left(accessrequest\right)=\left\{\begin{array}{cc}1\hfill & \frac{Vote\left(v\right)}{L}>0.5\hfill \\ 0\hfill & \frac{Vote\left(v\right)}{L}\le 0.5\hfill \end{array}\right.$$

(10)

The user can access the requested object if authorization (access request) equals 1. If not, access is denied. By separating the nodes, the CART tree purifies the data, and its results will be more accurate than the real number. In the classification problem, the GINI result measures the purity of the tree’s nodes. As a general rule, GINI scores are calculated in the following manner:

$$GINI=1-\sum _{i=1}^c{\left(pi\right)}^2$$

(11)

The influence of the division method intensifies as GINI increases. For this reason, the child node with the lowest GINI score can be used as the basis for splitting the classification tree. Overfitting is also minimized by simplifying the decision tree using the cost-complexity strategy. If a non-leaf node has less than one surface gain, then cost complexity will eliminate its left and right children. In cases where the minimal surface error gain is the same for many non-leaf nodes, the node with the fewest leaves is selected for elimination. In order to calculate the surface error gain, use the following formula:

$$E\left(T\right)=\sum _i^m{e}_{\mathrm{i}}\left(t\right)·p_{\mathrm{i}}\left(t\right),\alpha =\frac{E\left(t\right)-E\left(T\right)}{N\left(T\right)-1}$$

(12)

in which E(t) represents the error overhead at the leaf level, the node’s error rate, e(t), is calculated as E(t) = e(t) p(t), Error cost ($E\left(T\right)$), data node ratio ($p\left(t\right)$), child node error rate ($e_{\mathrm{i}}\left(t\right)$), data node ratio ($p_{\mathrm{i}}\left(t\right)$), and subtree node count ($N\left(T\right)$) are all variables.

6. Implementation Setup and Evaluation Criteria

This section discusses the experiment’s tools, datasets, procedure and performance metrics.

6.1. Datasets and Tools

The dataset, freely available on Kaggle, was used to challenge the access control policy for Amazon employees [15]. The dataset contains 32,769 samples with ten features. The training set contains a single label attribute named “ACTION” with the values “1” and “0” indicating application approval and rejection, respectively. The following features include ACTION, RESOURCE, MGRID, ROLE1, ROLE2, ROLE3, ROLE4, ROLE5, ROLE6 and ROLE7. A data balancing process was performed on the experimental data, which was randomly divided into training data (80%) and testing data (20%). Operating system: Mac; M1 for machine learning performance; 64 GB of memory; and Python 3.10 version were the device’s specifications utilised in the implementation.

6.2. Performance Evaluation Criteria

The following performance evaluation criteria were used to assess the effectiveness of the proposed solution to improve the policy decision point. First, the confusion matrix was defined in

Table 2. Confusion matrix of policy decision point PDP results.

Predicted Results
Real Results	Allowed Access	Refused Access
Allowed Access	$D_{\mathrm{AA}}$	$D_{\mathrm{AR}}$
Refused Access	$D_{\mathrm{RA}}$	$D_{\mathrm{RR}}$

using the decision-making results. $D_{\mathrm{AA}}$ defines the quantity of samples that can be accessed correctly, $D_{\mathrm{AR}}$ = the number of samples incorrectly denied access, $D_{\mathrm{RA}}$ = the quantity of samples incorrectly allowed access samples, and $D_{\mathrm{RR}}$ = the number of correctly refused access samples. Each access decision case (access attempts) will be discussed separately in the following:

• Positive prediction of denied access attempts: indicates denied access request correctly classified as denied access decision.
• Positive prediction of allowed access attempts: indicates allowed access request correctly classified as allowed access decision.
• Negative prediction of denied access attempts: indicates denied access request incorrectly classified as allowed access decision.
• Negative prediction of allowed access attempts: indicates allowed access request incorrectly classified as denied access decision.

1.

Accuracy Metric: used to evaluate the effectiveness of policy decision points in access control strategies in all scenarios. The percentage is calculated by dividing the number of accurate estimates by the total number. The following formula is used to calculate Accuracy (CM) Using the confusion matrix:

$$Accuracy=\frac{D_{\mathrm{AA}}+D_{\mathrm{RR}}}{D_{\mathrm{AA}}+D_{\mathrm{AR}}+D_{\mathrm{RA}}+D_{\mathrm{RR}}}$$

(13)

2.

Precision Metric: is computed by dividing the total number of positive samples by the number of positive samples correctly identified (either correct or not). This is determined by the measure of the total correct samples that were allowed to the expected number of samples that were allowed. It was determined by employing the following formula:

$$Precision=\frac{D_{\mathrm{AA}}}{D_{\mathrm{AA}}+D_{\mathrm{RA}}}$$

(14)

3.

Recall Metric: measured as the proportion of positive samples accurately categorised as actual relative to the number of allowed accurate samples. The Recall metric examines the model’s identification of samples. Recall increases the actual sample size. The Recall is only concerned with accurate sample categorization. This holds actual whether or not faulty samples are categorised for Precision. Even if the model incorrectly labels all incorrect samples as accurate, the Recall will be 100%. Negative samples, regardless of their classification, should be disregarded. The Recall is computed using only accurate samples.

$$Recall=\frac{D_{\mathrm{AA}}}{D_{\mathrm{AA}}+D_{\mathrm{AA}}}$$

(15)

4.

F1-score Metric: the F1-score is a harmonic average of Precision and Recall, the two most significant components. F1-score is effectively unbalanced data. The harmonic average differs from the arithmetic mean. This formula can be used to compute the F1-score

$$F1-score=\frac{Precison\ast Recall}{Precision+Recall}$$

(16)

7. Results Analysis

This section analyses the results for evaluating the performance enhancement of the policy decision point (PDP) in access control using the (ROC) receiver operating characteristic curve and (AUC) area under curve for various techniques prior to and after data processing. Also, this design compares the performance of more than one machine learning approach, the response times of the access control decision-making to BYOD user requests, and the flexibility of access control.

7.1. Performance

The receiver operating characteristic (ROC) curve illustrates the commensurate relationship between the number of positive predictions for policy decision point (PDP) outcomes and the number of samples. That is, the proposed method’s accuracy in identifying the appropriate access requests that grant access to the organization’s resources and the inappropriate access requests that are rejected immediately and dynamically. There are many reasons behind each predictions case. In general, false rejections, for example, If the model’s features do not represent the data, the algorithm may generate less accurate results, leading to false denials. In addition, models that have been overfitted may need to generalize better to new data, leading to false rejections. Finally, the algorithm may make erroneous rejections if the model is not tuned or the hyperparameters are not optimized. For example, if the number of trees in the forest is insufficient, the model may not capture the data’s underlying patterns, resulting in false rejections. Additionally, if the trees are too shallow or deep, the model may need to be more accurate with new data. Lastly, if the data set is noisy or contains outliers, the model may produce inaccurate outcomes and false rejections. In our experiment, the algorithm incorrectly rejected datasets. The number of samples in each class differs because the data set is unbalanced (the number of allowed policies in a policy set is greater than the number of denied policies).

Based on the experimental results illustrated in Figure 4 and Figure 5, it can be concluded that the receiver operating characteristic (ROC) curve is unchanged with the dissemination of the sample group. Consequently, the performance (ROC) of the algorithms was poor prior to the data balancing method. Furthermore, the k-nearest neighbours algorithm (KNN) and support vector machines (SVM) algorithms cannot provide an optimal and accurate access decision response in the PDP during access control. Following data processing (the balancing phase), the overall performance of the proposed algorithms improved. As seen in

Table 3. AUC values of different algorithms.

Methods	RF	KNN	DT	LR	SVM
AUC-Unbalanced Dataset	0.83	0.69	0.67	0.52	0.54
AUC-Balanced Dataset	0.98	0.96	0.95	0.55	0.70

, the random forest (RF) algorithm evidenced an ideal AUC of 0.98. This approach enhances PDP’s access control capabilities in response to access requests. This shows that the (RF) algorithm successfully implemented parallelism, effectively resolving issues caused by competing policies. It helped to alleviate the problem of bottlenecking in the decision-making process by working in a distributed manner.These advantages significantly improved the overall security of the access control system.

Finally, to evaluate the methodology, the same estimation parameters were generated and the Accuracy, Recall, Precision and F1-score values were compared for response policy decision point (PDP) performance during access control. As shown in Figure 6, logistic regression (LR) performs the worst, followed by support vector machines (SVM). Consequently, k-nearest neighbours (KNN), decision tree (DT) and random forest (RF) have comparable performance and values. In additional,

Table 4. Performance results of different techniques without balancing the data set.

Methods	RF	KNN	DT	LR	SVM
Accuracy	0.95	0.94	0.93	0.94	0.94
Precision	0.94	0.92	0.96	0.89	0.89
Recall	0.98	0.99	0.93	1.00	1.00
F1-score	0.94	0.92	0.93	0.92	0.92

presents a performance before data processing (before the balancing data phase), and

Table 5. Performance results of different techniques after balancing dataset.

Methods	RF	KNN	DT	LR	SVM
Accuracy	0.95	0.91	0.94	0.53	0.64
Precision	0.96	0.91	0.94	0.54	0.64
Recall	0.95	0.89	0.93	0.63	0.67
F1-score	0.95	0.91	0.94	0.53	0.64

examines the effectiveness of four primary metrics across various strategies and

7.2. Time

Time is a crucial aspect of access control security, as it enables timely and dynamic updates to the system’s access control policy, as well as prompt responses to access requests, therefore preventing the access control system from becoming a bottleneck. As a result, as depicted in Figure 7, the training time of the model was analysed along with the update time necessary for a policy decision point (PDP) to approve or deny an access request. The SVM algorithm required more training time than the other techniques, whereas the LR, KNN and DT algorithms required the same amount of time. Additionally, Figure 8 demonstrated that after applying data balancing techniques, the testing time results of various methods were analyzed, focusing on security access decision-making. The methods considered for analysis included random forest (RF), k-nearest neighbours (KNN), decision tree (DT), logistic regression (LR), and support vector machine (SVM). The analysis aimed to evaluate the performance of these methods in terms of their testing times after data balancing. The results indicated that RF, KNN, and DT exhibited testing times of zero seconds, while LR demonstrated a testing time of zero seconds as well. On the other hand, SVM exhibited a testing time exceeding 0.15 seconds. These findings provide valuable insights into each method’s computational efficiency and resource utilisation in the context of security access decision-making. Furthermore, they contribute to understanding the impact of data balancing on testing times and inform the selection of appropriate methods for security access decision-making tasks.

7.3. Flexibility

When compared to the conventional policy decision point for PDP based on machine learning in access control systems, the traditional way in which PDP is implemented in access control systems based on a logical process has a flexible and fast decision time as long as the feature attribute remains unchanged. However, it may be vulnerable to changes in the feature attribute, large policy scales and huge requests simultaneously, or unexpected access requests, all of which negatively impact the flexibility of access control systems. PDP-based ML has enhanced overall performance, flexibility and adaptability to meet access control needs for massive requests and complex policy volumes in real time. Figure 9 depicts the outcomes of an experiment analysing the flexibility of PDP based on ML in terms of policy size over time. The access control response per second to complex policies was used to evaluate flexibility. In the experiment, random requests for policy sizes ranging from 1000 to 6000 were sent and the time cost was approximately 0.15 s when the policy scale was 6000. It appears that the model responded positively to the size of the policy.

7.4. Complexity of PDP Based ML and Scaling Issues

The distributed and adaptable policy decision point (PDP) based on the ML algorithm can be parallelized across multiple processors or nodes, making it simple to scale. However, the experiments in this unbalanced dataset have scaling issues, and the number of allowed and denied policies in the dataset may vary considerably. Therefore, it will negatively affect the model’s performance; however, to solve the scaling issue, use the adaptive synthetic sampling method (ADASYN) to generate balanced datasets. Additionally, the proposed method has complexity in terms of time and space. Therefore, we will compute the complexity of the proposed method using the RF because it produces satisfactory outcomes and has an efficient algorithm for the proposed solution. Where n = the number of training examples, m = the number of features, $k^{\prime }$ = the number of trees, $k^{\prime }$ = the number of trees, and the maximum height $O\left(logn\right)$, the complexity of an algorithm is computed using the following formulas:

$$TrainTimeComplexity=O(k^{\prime }\ast n\ast log\left(n\right)\ast m)$$

(17)

$$TestTimeComplexity=O(m\ast k^{\prime })$$

(18)

$$SpaceComplexity=O(k^{\prime }\ast depthoftree)$$

(19)

8. Discussion

This section discusses the paper’s contributions and their advantages over existing solutions. This research enhanced the decentralised, adaptable and dynamic policy decision-making point (PDP) in access control, making it compatible with BYOD, IoT and distributed systems.

To begin, BYOD policies and access control technology are essential for defining restrictions and rights to prevent unauthorised users and ensuring the confidentiality, availability, data integrity and privacy of users and their data within an organisation. However, security BYOD and access control policies have limitations. Therefore, this study aimed to enhance conventional policies and access control systems. Firstly, policy decision point (PDP) employs predefined rules that must be automatically updated, causing policy conflicts, high maintenance costs and inferior performance. System administrators create complex rules to circumvent this limitation with multiple conditions, restrictions and permissions, resulting in access control issues. Secondly, the policy decision point (PDP) employs a centralised architecture, a multi-valued logic system and domain-specific equivalent operators. Thus, policy size and entity count have a negative impact on its performance, resulting in an increase in access decision-time costs. Thirdly, the direct communication between the PDP and the policy information point (PAP) raises privacy concerns.

Previous studies offered many solutions, yet some still needed to employ ML and make decisions based on predefined rules that could not be automatically updated when user or resource attributes changed. Some of them employed ML techniques but needed to produce adequate outcomes in terms of PDP performance or access decision time. Consequently, the main contribution of this paper is that it enhanced policy decision points (PDPs) to be highly adaptable and dynamic to adapt to changes in subject or object attributes, thus addressing policy conflicts and performance bottlenecks. This is achieved through ML technology that transforms unexpected access requests and any access request problems into a binary classification, either permit or deny, with high performance and fast access decision times, rather than the predefined rules and logical PDP in traditional access control.

Furthermore, to be compatible with the BYOD structure, the policy decision point of access control was made into a distributed PDP by implementing the random forest algorithm. This algorithm distributes the access decision across multiple nodes to reduce time costs and ensures that if one node is compromised, it cannot compromise the others. Distributed access decisions utilised a conditional and cascade architecture, in contrast with the centralised architecture of conventional access control. The proposed method binary-classified the issues associated with the policy decision point and responded to the access request based on its characteristics without communicating the policy information point (PAP). It did not communicate directly with the core policy set. The policy scope and the number of simultaneous access requests did not affect the access decision-making process. Additionally, the solution reduced response time for access requests and made the system more flexible and lightweight. As described in Section 5, the proposed method was implemented in several sequential steps: dataset balancing, attribute and feature dimension reduction, a training and testing model and a decision-making model.

To evaluate the efficacy of the methodology, a real-world Amazon access control policy dataset [15] was employed. Furthermore, several experiments for five different techniques were conducted to compare the performance of different algorithms before and after the processing of balancing data. These experiments compared the area under the curve (AUC) and the receiver operating characteristic (ROC) curve with the same estimation parameters to compare the performance of the different algorithms in terms of Accuracy, Recall, Precision and F1-score as well as the response time of the PDP to grant or deny access requests.

According to the results of five machine learning approaches on the same data set before and after balancing the data, the random forest algorithm is the most effective compared to other techniques. It achieved the desired results in terms of performance (0.95%) and time (0.15 s) for an optimal AUC of (0.98%). Consequentially, the ROC performance of the algorithms was poor prior to the data balancing method. However, the KNN and SVM algorithms cannot provide an optimal and accurate access decision response in the PDP during access control. Following data processing (the balancing phase), the overall performance of the proposed algorithms improved in terms of the analyzable values of Accuracy, Recall, Precision and F1-score for the response policy decision point. PDP performance during access control and the R3 algorithm performs the worst, followed by SVM. Then, KNN, DT and RF have comparable performance and values. Overall, PDP-based ML has improved overall performance, flexibility and adaptability to satisfy the real-time access control requirements of massive access requests and policy sizes.

The results showed that the random forest algorithm is better at access control decision-making because it can handle many access requests and complex resource-access request relationships.It can classify access users as authorised or unauthorised based on future access request and resource action policies. In addition, our experiment’s random feature and data sample selection after processing prevented overfitting and improved model Accuracy. Since random forest is an ensemble method, it has more hyperparameters. Hyperparameters vary by decision tree. In other words, Random forest predicts using multiple decision trees. Random subsets of training data and features are used to build each random forest decision tree. This randomness reduces model overfitting and improves Accuracy.

Furthermore, the effectiveness of the proposed solution was compared to previous research in the field. Researchers have proposed numerous solutions to improve access control decision-making but need more adaptability, dynamism and conflict resolution.

Table 6. Comparing the effectiveness of the proposed solution’s results to those of existing solutions.

Ref	Brief Description	ML Approach	Dataset	Performance	Time (s)
(Nobi, 2022) [18]	Propose Deep Learning Based Access Control (DLBAC) that uses a black-box neural network to decide the access decision. The method performed well in determining whether to allow or reject access requests, but it does not take the time factor into account.	Neural Network Algorithm, Inter-pretation Methods	Amazon Kaggle, Synthetic	88.5%	NA
(Karimi, 2021) [15]	Proposed an adaptive ABAC policy learning approach to automate decision-making tasks. The method contributed to policy mining, but its performance is less than ideal.	Epsilon Greedy, Reinforcement Algorithm	Amazon Kaggle	0.59%	0.588
(Mingshan, 2021) [19]	Suggested a decision-making algorithm for building an access control knowledge graph using user and resource attributes. The model was presented as a case study for determining university resource usage based on user characteristics.	Boosting Window (BW) Algorithm, One-hot Encoding,	Amazon Kaggle	89.64% Nw = 300	NA
Our work	Enhanced adaptable and distributed access control decision making for solving policy conflicts based ML technologies. The proposed method addresses the shortcomings of conventional access control methods; it is unaffected by the size of the policy, the number of entities, or the number of access requests and it performs with a high degree of dynamic flexibility in a short period of time.	Random Forest Algorithm	Amazon Kaggle	95%	0.15

below summarises the most notable previous work that improved access control by employing the same dataset. First, Nobi et al. proposed deep learning-based access control (DLBAC), which makes access decisions using a black-box neural network [18]. According to the evaluation findings, DLBAC can suggest granting or rejecting authorization with 88.5% Accuracy and disregarding the effect of time on the speed of decision-making. Second, Karimi proposed a solution to improve the resolution decision-making based on the reinforcement-epsilon greedy algorithm, which improved time performance but was not satisfactorily efficient [15]. Finally, Mingshan et al. in [19] proposed the Boosting Window (BW) algorithm as a decision-making algorithm for constructing an access control knowledge graph based on user and resource attributes. The solution enabled educational institutions such as universities and schools to control access by determining the access permissions between the access requester and the resource attributes. It achieved a moderately effective rate of 89.64 percent.

This paper enhanced the policy decision point in access control based on supervised learning for resolving issues in traditional access control, such as policy conflicts and the efficient performance of PDP when many requests arrive simultaneously. The method involves handling unexpected access requests by converting every access request into a binary classification based on access permissions. The suggested solution is more efficient, flexible and dynamic. It can make decisions with a high Accuracy rate in less time and works with many systems, such as Bring Your Own Device (BYOD), the Internet of Things (IoT) and distributed systems.

9. Conclusions

This research analysed and evaluated existing approaches for access control decision-making. The traditional policy decision point for access control makes access decisions based on predefined rules. Consequently, there are several problems with access control and decision-making, including conflicting policies, limited entities, poor PDP performance, delays in access response and cost considerations. However, the proposed method enhanced the policy decision point (PDP) of access control based on machine learning by translating PDP problems in access control into a binary categorization of allowing or denying access requests.

The enhanced PDP-based ML approach was implemented in the following steps: balancing the dataset, dimension reduction in attributes and features, a training-model testing model and a decision-making model. The proposed method improved current access control by changing the policy decision point (PDP) to be dynamically adaptable, distributed and lightweight for obtaining permission to make decisions rather than an access decision based on predetermined rules. It could handle the situation regardless of the number of entities, the number of concurrent massive requests, or the complexity of the policy. Furthermore, it provided privacy and security for access control by requiring no direct connection or communication with the PAP policy, making the policies more confidential and private. The Kaggel Amazon access control policy dataset was utilised to evaluate the method’s efficacy, and several experiments were conducted before and after processing the dataset (the balancing phase). The method’s efficacy was evaluated in two ways: First, it was compared to various machine learning (ML) algorithms in terms of the performance of policy decision-making, the flexibility of access control and processing time. Second, the efficacy of the proposed technique was determined by comparing it to earlier techniques in terms of benchmark performance and time cost. Experiments have demonstrated that the proposed method generates sound decision-making and can simultaneously fulfill numerous access requests with high Accuracy, speed and flexibility.