NDSS 2025 – CASPR: Context-Aware Security Policy Recommendation

SELinux remains a cornerstone for mandatory access control in modern operating systems, yet its policy language is notoriously intricate. Administrators must craft granular rules that align with application behavior, a process that is both error‑prone and labor‑intensive. The growing complexity of cloud‑native workloads and containerized environments amplifies this challenge, creating a market demand for intelligent automation that can keep pace with rapid deployment cycles.

CASPR addresses this gap by leveraging a rich set of context‑aware features—including existing policy rules, file system paths, audit log entries, and attribute metadata—to model privilege similarities. Using K‑means clustering, the system groups related types and employs SHAP analysis to quantify each feature’s contribution, enabling precise rule recommendations. Benchmarks across several policy versions reveal a 91.58% recommendation accuracy and a 93.76% F1‑score, outperforming prior rule‑mining approaches and demonstrating robustness in both new and legacy type scenarios.

The broader implications for the security industry are significant. By automating anomaly detection—identifying constraint conflicts, inconsistencies, and incomplete permissions—CASPR not only streamlines compliance audits but also reduces the attack surface associated with misconfigurations. Its demonstrated portability across diverse operating systems suggests a viable path toward standardized, AI‑driven policy management tools, potentially reshaping how organizations enforce least‑privilege principles at scale. Future research may extend CASPR’s methodology to other mandatory access control frameworks, further cementing its role in proactive security governance.