Abstract
In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other components. As a critical process in PDP, evaluation of attributes is often implemented in a simple and inefficient way in real applications. In order to improve the PDP evaluation performance, we propose a novel distributed PDP model, called XPDP, based on the combination of two-stage clustering and reordering to eliminate the limitation of computational performance of a single PDP. Firstly, we cluster rules based on subject and use spectral clustering method to perform further clustering. Secondly, the clusters of rules are reordered before evaluation for every inbound request based on similarity. Finally, we introduce a distributed PDP architecture for distributed deployment, providing with a brand new perspective of designing access control systems. A comparison in evaluation performance between the XPDP and the Sun PDP, as well as SBA-XACML, is made. In the experiment of using 10,000 synthetic access requests with three practical policy sets, the XPDP is 3.26 times faster than Sun PDP, and is 1.85 times faster than SBA-XACML. Experimental results show that the PDP evaluation performance can be prominently improved.
Similar content being viewed by others
References
Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: Proceedings of International Conference on Computer and Communications Security, 147–157, ACM (2005)
Bui, T., Stoller S.D., Sharma, S.: Fast distributed evaluation of stateful attribute-based access control policies. In: Proceedings of International Conference on Data and Applications Security and Privacy, 101–119, IFIP (2017)
Deng, F., Zhang, L.Y.: Elimination of policy conflict to improve the PDP evaluation performance. J. Netw. Comput. Appl. 80(4), 45–57 (2017)
Deng, F., Zhang, L.Y., Zhou, B.Y., Zhang, J.W., Cao, H.Y.: Elimination of the redundancy related to combining algorithms to improve the PDP evaluation performance. Math. Probl. Eng. 2016(4), 1–18 (2016)
Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer. 10(6), 503–520 (2008)
Jebbaoui, H., Mourad, A., Otrok, H., Haraty, R.: Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies. Comput. Electr. Eng. 44(C), 91–103 (2015)
Kabir, M.E., Wang, H., Bertino, E.: A role-involved purpose-based access control model. Inf. Syst. Front. 14(3), 809–822 (2012)
Kolovski, V., Hendler, J., Parsia, B.: Analyzing Web access control policies. In: Proceedings of International Conference on World Wide Web, 677–686, ACM (2007)
Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 1–10, ACM (2007)
Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2013)
Liu, T., Wang, Y.: Beyond scale: an efficient framework for evaluating Web access control policies in the era of big data. In: Proceedings of International Workshop on Security, 316–334, (2015)
Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: Proceedings of ACM SIGMETRICS Performance Evaluation Review, 265–276, ACM (2008)
Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Designing fast and scalable XACML policy evaluation engines. IEEE Trans. Comput. 60(12), 1802–1817 (2011)
Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of ACM Workshop on XML Security, 25–37, ACM (2003)
Luxburg, U.V.: A tutorial on spectral clustering. Stat. Comput. 17(4), 395–416 (2007)
Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Statistics & clustering based framework for efficient XACML policy evaluation. In: Proceedings of International Conference on Policies for Distributed Systems and Networks, 118–125, IEEE (2009)
Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Adaptive reordering and clustering-based framework for efficient XACML policy evaluation. IEEE Trans. Serv. Comput. 4(4), 300–313 (2011)
Mouelhi, T., Fleurey, F., Baudry, B., Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Proceedings of International Conference on Model Driven Engineering Languages and Systems, 537–552, (2008)
Mouelhi, T., Traon, Y.L., Baudry, B.: Transforming and selecting functional test cases for security policy testing. In: proceedings of international conference on software testing, verification, and validation, 171–180, IEEE (2009)
Mourad, A., Jebbaoui, H.: SBA-XACML: set-based approach providing efficient policy decision process for accessing Web services. Expert Syst. Appl. 42(1), 165–178 (2015)
Ng, A.Y., Jordan, M.I., Weiss, Y.: On spectral clustering: analysis and an algorithm. Proc. NIPS. 14(2001), 849–856 (2001)
Ngo, C., Demchenko, Y., Laat, C.D.: Decision diagrams for XACML policy evaluation and management. Comput. Secur. 49(5), 1–16 (2015)
Pei, X., Yu, H., Fan, G.: Achieving efficient access control via XACML policy in cloud computing. In: Proceedings of International Conference on Software Engineering and Knowledge Engineering, 110–115 (2015)
Ros, S.P., Lischka, M.: Graph-based XACML evaluation. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 83–92, ACM (2012)
Sun’s XACML implementation: http://sunxacml.sourceforge.net/
Traon, Y.L., Mouelhi, T., Pretschner, A., Baudry, B.: Test-driven assessment of access control in legacy applications. In: proceedings of international conference on software testing, verification, and validation, 238–247, IEEE (2008)
Turkmen, F., Demchenko Y.: On the use of SMT solving for XACML policy evaluation. In: Proceedings of International Conference on Cloud Computing Technology and Science, 539–544, IEEE (2016)
Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)
Wang, H., Zhang, Y., Cao, J.: Access control management for ubiquitous computing. Futur. Gener. Comput. Syst. 24(8), 870–878 (2008)
Wang, Y.Z., Feng, D.G., Zhang, L.W., Zhang, M.: XACML policy evaluation engine based on multi-level optimization technology. J. Softw. 22(2), 323–338 (2011)
Acknowledgments
This work is supported by the scientific research cultivation fund of Xi’an University of Science and Technology in China (201635), the PhD research startup foundation of Xi’an University of Science and Technology in China (2015QDJ072), the natural science foundation of Shaanxi province in China (2017JQ6053), and the national natural science foundation of China (61702408). This work was also supported by the Innovation Group for Interdisciplinary Computing Technologies, College of Computer Science and Technology, Xi’an University of Science and Technology.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Deng, F., Lu, J., Wang, SY. et al. A distributed PDP model based on spectral clustering for improving evaluation performance. World Wide Web 22, 1555–1576 (2019). https://doi.org/10.1007/s11280-018-0588-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11280-018-0588-8