×

Elimination of the redundancy related to combining algorithms to improve the PDP evaluation performance. (English) Zbl 1400.68267

Summary: If there are lots of redundancies in the policies loaded on the policy decision point (PDP) in the authorization access control model, the system will occupy more resources in operation and consumes plenty of evaluation time and storage space. In order to detect and eliminate policy redundancies and then improve evaluation performance of the PDP, a redundancy related to combining algorithms detecting and eliminating engine is proposed in this paper. This engine cannot only detect and eliminate the redundancy related to combining algorithms, but also evaluate access requests. A Resource Brick Wall is constructed by the engine according to the resource attribute of a policy’s target attributes. By the Resource Brick Wall and the policy/rule combining algorithms, three theorems for detecting redundancies related to combining algorithms are proposed. A comparison of the evaluation performance of the redundancy related to combining algorithms detecting and eliminating engine with that of Sun PDP is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating the redundancy related to combining algorithms.

MSC:

68W40 Analysis of algorithms
PDFBibTeX XMLCite
Full Text: DOI

References:

[1] Faridus, M. F.; Wahid, M. H. A.; Sabani, N., SOA characterization for AND logic operation on SOA based NOLM, Proceedings of the IEEE Regional Symposium on Micro and Nanoelectronics (RSM ’11)
[2] Sun, Y.; Guan, X.; Liu, T.; Qu, Y., An identity authentication mechanism based on timing covert channel, Proceedings of the 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom ’12) · doi:10.1109/trustcom.2012.80
[3] Sara, A.; Azzam, M.; Hadi, O., New XACML-AspectBPEL approach for composite web services security, International Journal of Web and Grid Services, 9, 2, 127-145, (2013) · doi:10.1504/ijwgs.2013.054109
[4] Griffin, L.; Butler, B.; de Leastar, E.; Jennings, B.; Botvich, D., On the performance of access control policy evaluation, Proceedings of the IEEE 13th International Symposium on Policies for Distributed Systems and Networks (POLICY ’12) · doi:10.1109/policy.2012.15
[5] Zheng, Y.; Li, S.; Qiu, H., Networked coordination-based distributed model predictive control for large-scale system, IEEE Transactions on Control Systems Technology, 21, 3, 991-998, (2013) · doi:10.1109/TCST.2012.2196280
[6] Lorch, M.; Proctor, S.; Lepro, R.; Kafura, D.; Shah, S., First experiences using XACML for access control in distributed systems, Proceedings of the ACM Workshop on XML Security, ACM · doi:10.1145/968559.968563
[7] Bertolino, A.; Daoudagh, S.; Lonetti, F.; Marchetti, E., XACMUT: XACML 2.0 mutants generator, Proceedings of the IEEE 6th International Conference on Software Testing, Verification and Validation Workshops (ICSTW ’13), IEEE · doi:10.1109/icstw.2013.11
[8] Bertolino, A.; Lonetti, F.; Marchetti, E., Systematic XACML request generation for testing purposes, Proceedings of the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA ’10) · doi:10.1109/seaa.2010.58
[9] Pardal, M. L.; Harrison, M.; Sarma, S. E.; Marques, J. A., Performance assessment of XACML authorizations for supply chain traceability web services, Proceedings of the 4th International Conference on Computational Aspects of Social Networks (CASoN ’12) · doi:10.1109/cason.2012.6412432
[10] Fatema, K.; Chadwick, D., Resolving policy conflicts—integrating policies from multiple authors, Advanced Information Systems Engineering Workshops: CAiSE 2014 International Workshops, Thessaloniki, Greece, June 16–20, 2014. Proceedings. Advanced Information Systems Engineering Workshops: CAiSE 2014 International Workshops, Thessaloniki, Greece, June 16–20, 2014. Proceedings, Lecture Notes Business Information Processing, 178, 310-321, (2014), Berlin, Germany: Springer, Berlin, Germany · doi:10.1007/978-3-319-07869-4_29
[11] Fong, J.; Shiu, H., An interpreter approach for exporting relational data into XML documents with structured export markup language, Journal of Database Management, 23, 1, 49-77, (2012) · doi:10.4018/jdm.2012010103
[12] Lim, I.-H.; Sidhu, T. S.; Choi, M.-S.; Lee, S.-J.; Hong, S.; Lim, S.-I.; Lee, S.-W., Design and implementation of multiagent-based distributed restoration system in Das, IEEE Transactions on Power Delivery, 28, 2, 585-593, (2013) · doi:10.1109/tpwrd.2013.2244923
[13] Masi, M.; Pugliese, R.; Tiezzi, F., Formalisation and implementation of the XACML access control mechanism, Engineering Secure Software and Systems. Engineering Secure Software and Systems, Lecture Notes in Computer Science, 7159, 60-74, (2012), Berlin, Germany: Springer, Berlin, Germany · doi:10.1007/978-3-642-28166-2_7
[14] Liu, A. X.; Chen, F.; Hwang, J.; Xie, T., Xengine: a fast and scalable XACML policy evaluation engine, Proceedings of the SIGMETRICS International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS ’08) · doi:10.1145/1375457.1375488
[15] Marouf, S.; Shehab, M.; Squicciarini, A.; Sundareswaran, S., Adaptive reordering and clustering based framework for efficient XACML policy evaluation, IEEE Transactions on Services Computing, 4, 4, 300-313, (2012)
[16] Mourad, A.; Jebbaoui, H., SBA-XACML: set-based approach providing efficient policy decision process for accessing Web services, Expert Systems with Applications, 42, 1, 165-178, (2015) · doi:10.1016/j.eswa.2014.07.031
[17] Jebbaoui, H.; Mourad, A.; Otrok, H.; Haraty, R., Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies, Computers & Electrical Engineering, 44, 91-103, (2015) · doi:10.1016/j.compeleceng.2014.12.012
[18] Chen, X.; Xu, W., Study of XACML policy based on description logic, Computer Engineering, 39, 4, 71-74, (2013)
[19] Lei, X.; Liu, J.; Xiao, J.; Li, J., An improved description method for role access control based on the XACML, Computer Science, 35, 4, 94-104, (2008)
[20] Martin, E., Automated test generation for access control policies, Proceedings of the Companion to the 21st ACM SIGPLAN Symposium on Object-Oriented Programming Systems, Languages, and Applications, ACM
[21] Scheffler, T.; Schindler, S.; Schnor, B., Using AOP-based enforcement of prioritised XACML policies for location privacy, International Journal of Internet Technology and Secured Transactions, 5, 1, 84-104, (2013) · doi:10.1504/ijitst.2013.058293
[22] Ni, Q.; Bertino, E.; Lobo, J.; Brodi, C.; Karat, C.-M.; Karat, J.; Trombetta, A., Privacy-aware role-based access control, ACM Transactions on Information and System Security, 13, 3, article 24, (2010) · doi:10.1145/1805974.1805980
[23] Hu, H.; Ahn, G.-J.; Kulkarni, K., Discovery and resolution of anomalies in web access control policies, IEEE Transactions on Dependable and Secure Computing, 10, 6, 341-354, (2013) · doi:10.1109/tdsc.2013.18
[24] Dinu, C.-M.; Pop, F.; Cristea, V., Pattern detection model for monitoring distributed systems, Proceedings of the 13th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC ’11) · doi:10.1109/synasc.2011.22
[25] Zhang, A. J.; Ji, C.; Wang, J., Security policy conflict detection for distributed system, Advanced Materials Research, 282-283, 173-176, (2011) · doi:10.4028/www.scientific.net/AMR.282-283.173
[26] Guarnieri, M.; Neri, M. A.; Magri, E., On the notion of redundancy in access control policies, Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (SACMAT ’13)
[27] Chen, W. H.; Wang, N. N., Research on XACML policy evaluation optimization technology, Application Research of Computers, 30, 3, 70, (2013)
[28] Pretschner, A.; Baudry, B., Test-driven assessment of access control in legacy applications, Proceedings of the International Conference on Software Testing, Verification, and Validation
[29] Mouelhi, T.; Fleurey, F.; Baudry, B., A model-based framework for security policy specification, deployment and testing, Model Driven Engineering Languages and Systems: 11th International Conference, MoDELS 2008, Toulouse, France, September 28–October 3, 2008. Proceedings. Model Driven Engineering Languages and Systems: 11th International Conference, MoDELS 2008, Toulouse, France, September 28–October 3, 2008. Proceedings, Lecture Notes in Computer Science, 5301, 537-552, (2008), Berlin, Germany: Springer, Berlin, Germany · doi:10.1007/978-3-540-87875-9_38
[30] Mouelhi, T.; Traon, Y. L.; Baudry, B., Transforming and selecting functional test cases for security policy testing, Proceedings of the 2nd International Conference on Software Testing, Verification, and Validation (ICST ’09) · doi:10.1109/icst.2009.49
[31] El Kateb, D.; Mouelhi, T.; Le Traon, Y.; Hwang, J.; Xie, T., Refactoring access control policies for performance improvement, Proceedings of the 3rd Joint WOSP/SIPEW International Conference on Performance Engineering (ICPE ’12) · doi:10.1145/2188286.2188346
[32] Ramli, C. D. P. K.; Nielson, H. R.; Nielson, F., The logic of XACML, Science of Computer Programming, 83, 80-105, (2014) · doi:10.1016/j.scico.2013.05.003
[33] Dan, N.; Huaji, S.; Yuan, C.; Jia-Hu, G., Attribute based access control (ABAC)-based cross-domain access control in service-oriented architecture (SOA), Proceedings of the International Conference on Computer Science and Service System (CSSS ’12) · doi:10.1109/csss.2012.354
[34] She, W.; Yen, I.-L.; Bastani, F.; Tran, B.; Thuraisingham, B., Role-based integrated access control and data provenance for SOA based net-centric systems, Proceedings of the 6th IEEE International Symposium on Service-Oriented System Engineering (SOSE ’11) · doi:10.1109/sose.2011.6139111
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.