Protection domains are one of the most enduring concepts in Access Control. Entities with identical access control characteristics are grouped under the same protection domain, and domain-based policies assign access privileges to the protection domain as a whole. With the advent of the Internet of Things (IoT), devices play the roles of both subjects and objects. Domain-based policies are particularly suited to support this symmetry of roles. This paper studies the mining of domain-based policies from incomplete access logs. We began by building a theory of domain-based policies, resulting in a polynomial-time algorithm that constructs the optimal domain-based policy out of a given access control matrix. We then showed that the problem of domain-based policy mining (DBPM) and the related problem of mining policies for domain and type enforcement (DTEPM) are both NP-complete. Next, we looked at the practical problem of using a MaxSAT solver to solve DBPM. We devised sophisticated encodings for this purpose, and empirically evaluated their relative performance. This paper thus lays the groundwork for future study of DBPM.

翻译：保护域是访问控制中最基本的概念之一。具有相同访问控制特性的实体被归入同一保护域，而基于域的策略将访问权限分配给整个保护域。随着物联网（IoT）的出现，设备兼具主体和客体的双重角色，基于域的策略特别适用于支持这种角色对称性。本文研究了从不完整访问日志中挖掘基于域策略的方法。我们首先构建了基于域策略的理论基础，提出了一个多项式时间算法，用于从给定的访问控制矩阵中构建最优的基于域策略。随后，我们证明了基于域策略挖掘（DBPM）问题及相关域与类型强制策略挖掘（DTEPM）问题均为NP完全问题。接着，我们研究了利用MaxSAT求解器解决DBPM的实际问题，为此设计了复杂的编码方案，并通过实验评估了其相对性能。本文为DBPM的未来研究奠定了基础。