Abstract
Recently explosive growth in data and the rapid development of communicate technologies bring us into the era of big data. As an important security strategy, access control calls for more highly efficient methods for its evaluation. However, most of the traditional work has already met the bottleneck. Although there’ve been some methods focusing on the performance of the evaluation engine, these methods are mostly either not in the setting of big data, or there are many limitations when they are deployed in practice. In this paper, we propose a novel framework based on a two-level structure employing multiple clustering techniques. Before building the framework, we propose some ideas for attributes’ preprocessing. Then we obtain the two-level structure by a two-stage clustering. In first stage, we make a coarse-grained clustering in quality, and in second stage, we make a fine-grained clustering in quantity. Finally, we can obtain a further improvement by set-operations. In experiments, the framework is applied to some prevailing evaluation engines using large dataset, and the results show that our approach can get great improvements for all involved engines.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Please distinguish the attribute and attribute-value in this paper.
References
OASIS, eXtensible Access Control Markup Language (XACML). http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Kolovsk, V., Hendler, J., et al.: Formalizing xacml using defeasible description logics. Technical Report TR-233-11, University of Maryland, USA (2006)
Sun’s XACML implementation (2005). http://sunxacml.sourceforge.net
Enterprise XACML (2012). http://code.google.com/p/enterprise-java-xacml/
Liu, A.X., et al.: Designing fast and scalable XACML policy evaluation engines. IEEE Trans. Comput. 60(12), 1802–1817 (2011)
Marouf, S., et al.: Adaptive reordering and clustering-based framework for efficient XACML policy evaluation. IEEE Trans. Serv. Comput. 4(4), 300–313 (2011)
Lin, D., et al.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2013)
Sculley, D.: Web-scale K-Means clustering. In: Proceedings of the 19th International Conference on World Wide Web (WWW 2010). ACM (2010)
Griffin, L., et al.: On the performance of access control policy evaluation. In: IEEE International Symposium on Policies for Distributed Systems and Networks (2012)
Fisler, K., et al.: Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th International Conference on Software Engineering. ACM (2005)
Halpern, J.Y., et al.: Using first-order logic to reason about policies. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW 2003) (2003)
Han, W., et al.: Collaborative policy administration. IEEE Trans. Parallel Distrib. Syst. 25(2), 498–507 (2014)
Philip, W.L., et al.: A white-box policy analysis and its efficient implementation. In: Proceedings of the 18th ACM Symposium on Access Control Models and Technologies (2013)
Lerner, R.M.: At the forge: Redis. Linux J. 197 (2010)
Node.js: Evented IO for V8 javascript. https://github.com/joyent/node
Crockford, D.: JSON: the fat free alternative to XML. In: 15th International World wide Web conference (WWW 2006). ACM (2006)
Yuan, E., et al.: Attributed based access control (ABAC) for web services. In: Proceedings of the IEEE International Conference on Web Services (ICWS 2005) (2005)
Hu, V.C., et al.: Guide to attribute based access control (ABAC) definition and considerations (draft). NIST Special Publication 800-162 (2013)
Ahn, G.-J., et al. Representing and reasoning about web access control policies. In: IEEE 34th Annual Computer Software and Applications Conference (2010)
Park, H.S., et al.: A simple and fast algorithm for K-medoids clustering. Expert Syst. Appl. 36(2), 3336–3341 (2009)
Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis. Wiley, New York (1990)
Zadegan, R., et al.: Ranked k-medoids: A fast and accurate rank-based partitioning algorithm for clustering large datasets. Knowl.-Based Syst. 39, 133–143 (2013)
Grabmeier, J., Rudolph, A.: Techniques of cluster algorithms in data mining. Data Mining Knowl. Disc. 6(4), 303–360 (2002)
Han, J., et al.: Spatial clustering methods in data mining: a survey. In: Miller, H.J., Han, J. (eds.) Geographic Data Mining and Knowledge Discovery. Taylor & Francis, London (2001)
Kamvar, K., et al.: Spectral learning. In: International Joint Conference of Artificial Intelligence. Stanford InfoLab (2003)
Hu, H., Ahn, G.J., et al.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Dependable Secure Comput. (TDSC) 10(6), 341–354 (2013)
Lin, D., et al.: Policy decomposition for collaborative access control. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies (2008)
Rao, P., et al.: An algebra for fine-grained integration of XACML policies. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (2009)
Borders, K., et al.: CPOL: high-performance policy evaluation. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS 2005) (2005)
Durham, D., et al.: The COPS (common open policy service) protocol (2000)
Mazzoleni, P., et al.: XACML policy integration algorithms. ACM Trans. Inf. Syst. Secur. (TISSEC) 11(1), 4 (2008)
Li, N., et al.: Access control policy combining: theory meets practice. In: Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (2009)
Karjoth, G., et al.: Implementing ACL-based policies in XACML. In: Proceedings of Annual Computer Security Applications Conference (ACSAC 2008) (2008)
Sandhu, R.S., Samarati, P.: Access control: principle and practice. IEEE Commun. Mag. 32(9), 40–48 (1994)
Moore, B., Ellesson, E., Strassner, J., et al.: Policy core information model-version 1 specification. RFC 3060, February 2001
Ngo, C., et al.: Multi-data-types interval decision diagrams for XACML evaluation engine. In: Proceedings of 11th Annual International Conference on Privacy, Security and Trust PST 2013) (2013)
Dom4J Group: Dom4J API Project. http://www.dom4j.org/
Smullyan, R.M.: First-Order Logic, vol. 6. Springer, Heidelberg (1968)
Hughes, G., et al.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer 10(6), 503–520 (2008)
Acknowledgment
This work is Supported by the National Natural Science Foundation of China under Grant No. 61202476, the Strategic Priority Research Program of the Chinese Academy of Sciences, Grant No. XDA06010701, XDA06040502. Last but not least, we thank all the reviewers for the valuable advices sincerely!
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix
A Appendix
In essence, the \(Set^{0}_{pol}\) is the original policies directly extracted from the PolicySets without caring the structure and combing-algorithm; \(Set^{1}_{pol}\) and \(Set^{2}_{pol}\) are the modified versions for the transition work of two stage clustering respectively. The policies in \(Set^{1}_{pol}\) are the ones that delete match conditions of the non-selected CatAttrs, all the NumAttrs and other-type attributes abiding by the relaxation rules. The policies in \(Set^{2}_{pol}\) are the ones that regain all the match conditions of NumAttrs based on the policies in \(Set^{1}_{pol}\). The policies above are the ones in \(Set^{0}_{pol}\), \(Set^{1}_{pol}\) and \(Set^{2}_{pol}\) respectively, focusing on subjects.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, T., Wang, Y. (2015). Beyond Scale: An Efficient Framework for Evaluating Web Access Control Policies in the Era of Big Data. In: Tanaka, K., Suga, Y. (eds) Advances in Information and Computer Security. IWSEC 2015. Lecture Notes in Computer Science(), vol 9241. Springer, Cham. https://doi.org/10.1007/978-3-319-22425-1_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-22425-1_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-22424-4
Online ISBN: 978-3-319-22425-1
eBook Packages: Computer ScienceComputer Science (R0)