Skip to main content
SpringerLink
Log in

A distributed PDP model based on spectral clustering for improving evaluation performance

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other components. As a critical process in PDP, evaluation of attributes is often implemented in a simple and inefficient way in real applications. In order to improve the PDP evaluation performance, we propose a novel distributed PDP model, called XPDP, based on the combination of two-stage clustering and reordering to eliminate the limitation of computational performance of a single PDP. Firstly, we cluster rules based on subject and use spectral clustering method to perform further clustering. Secondly, the clusters of rules are reordered before evaluation for every inbound request based on similarity. Finally, we introduce a distributed PDP architecture for distributed deployment, providing with a brand new perspective of designing access control systems. A comparison in evaluation performance between the XPDP and the Sun PDP, as well as SBA-XACML, is made. In the experiment of using 10,000 synthetic access requests with three practical policy sets, the XPDP is 3.26 times faster than Sun PDP, and is 1.85 times faster than SBA-XACML. Experimental results show that the PDP evaluation performance can be prominently improved.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12
Figure 13

Similar content being viewed by others

References

  1. Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: Proceedings of International Conference on Computer and Communications Security, 147–157, ACM (2005)

  2. Bui, T., Stoller S.D., Sharma, S.: Fast distributed evaluation of stateful attribute-based access control policies. In: Proceedings of International Conference on Data and Applications Security and Privacy, 101–119, IFIP (2017)

  3. Deng, F., Zhang, L.Y.: Elimination of policy conflict to improve the PDP evaluation performance. J. Netw. Comput. Appl. 80(4), 45–57 (2017)

    Article  Google Scholar 

  4. Deng, F., Zhang, L.Y., Zhou, B.Y., Zhang, J.W., Cao, H.Y.: Elimination of the redundancy related to combining algorithms to improve the PDP evaluation performance. Math. Probl. Eng. 2016(4), 1–18 (2016)

    MathSciNet  MATH  Google Scholar 

  5. Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer. 10(6), 503–520 (2008)

    Article  Google Scholar 

  6. Jebbaoui, H., Mourad, A., Otrok, H., Haraty, R.: Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies. Comput. Electr. Eng. 44(C), 91–103 (2015)

    Article  Google Scholar 

  7. Kabir, M.E., Wang, H., Bertino, E.: A role-involved purpose-based access control model. Inf. Syst. Front. 14(3), 809–822 (2012)

    Article  Google Scholar 

  8. Kolovski, V., Hendler, J., Parsia, B.: Analyzing Web access control policies. In: Proceedings of International Conference on World Wide Web, 677–686, ACM (2007)

  9. Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 1–10, ACM (2007)

  10. Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2013)

    Article  Google Scholar 

  11. Liu, T., Wang, Y.: Beyond scale: an efficient framework for evaluating Web access control policies in the era of big data. In: Proceedings of International Workshop on Security, 316–334, (2015)

  12. Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: Proceedings of ACM SIGMETRICS Performance Evaluation Review, 265–276, ACM (2008)

  13. Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Designing fast and scalable XACML policy evaluation engines. IEEE Trans. Comput. 60(12), 1802–1817 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  14. Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of ACM Workshop on XML Security, 25–37, ACM (2003)

  15. Luxburg, U.V.: A tutorial on spectral clustering. Stat. Comput. 17(4), 395–416 (2007)

    Article  MathSciNet  Google Scholar 

  16. Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Statistics & clustering based framework for efficient XACML policy evaluation. In: Proceedings of International Conference on Policies for Distributed Systems and Networks, 118–125, IEEE (2009)

  17. Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Adaptive reordering and clustering-based framework for efficient XACML policy evaluation. IEEE Trans. Serv. Comput. 4(4), 300–313 (2011)

    Article  Google Scholar 

  18. Mouelhi, T., Fleurey, F., Baudry, B., Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Proceedings of International Conference on Model Driven Engineering Languages and Systems, 537–552, (2008)

  19. Mouelhi, T., Traon, Y.L., Baudry, B.: Transforming and selecting functional test cases for security policy testing. In: proceedings of international conference on software testing, verification, and validation, 171–180, IEEE (2009)

  20. Mourad, A., Jebbaoui, H.: SBA-XACML: set-based approach providing efficient policy decision process for accessing Web services. Expert Syst. Appl. 42(1), 165–178 (2015)

    Article  Google Scholar 

  21. Ng, A.Y., Jordan, M.I., Weiss, Y.: On spectral clustering: analysis and an algorithm. Proc. NIPS. 14(2001), 849–856 (2001)

    Google Scholar 

  22. Ngo, C., Demchenko, Y., Laat, C.D.: Decision diagrams for XACML policy evaluation and management. Comput. Secur. 49(5), 1–16 (2015)

    Article  Google Scholar 

  23. Pei, X., Yu, H., Fan, G.: Achieving efficient access control via XACML policy in cloud computing. In: Proceedings of International Conference on Software Engineering and Knowledge Engineering, 110–115 (2015)

  24. Ros, S.P., Lischka, M.: Graph-based XACML evaluation. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 83–92, ACM (2012)

    Google Scholar 

  25. Sun’s XACML implementation: http://sunxacml.sourceforge.net/

  26. Traon, Y.L., Mouelhi, T., Pretschner, A., Baudry, B.: Test-driven assessment of access control in legacy applications. In: proceedings of international conference on software testing, verification, and validation, 238–247, IEEE (2008)

  27. Turkmen, F., Demchenko Y.: On the use of SMT solving for XACML policy evaluation. In: Proceedings of International Conference on Cloud Computing Technology and Science, 539–544, IEEE (2016)

  28. Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)

    Article  Google Scholar 

  29. Wang, H., Zhang, Y., Cao, J.: Access control management for ubiquitous computing. Futur. Gener. Comput. Syst. 24(8), 870–878 (2008)

    Article  Google Scholar 

  30. Wang, Y.Z., Feng, D.G., Zhang, L.W., Zhang, M.: XACML policy evaluation engine based on multi-level optimization technology. J. Softw. 22(2), 323–338 (2011)

    Article  Google Scholar 

Download references

Acknowledgments

This work is supported by the scientific research cultivation fund of Xi’an University of Science and Technology in China (201635), the PhD research startup foundation of Xi’an University of Science and Technology in China (2015QDJ072), the natural science foundation of Shaanxi province in China (2017JQ6053), and the national natural science foundation of China (61702408). This work was also supported by the Innovation Group for Interdisciplinary Computing Technologies, College of Computer Science and Technology, Xi’an University of Science and Technology.

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Xi’an University of Science and Technology, Xi’an, 710054, China

    Fan Deng

  2. School of Software, Xidian University, Xi’an, 710071, China

    Jie Lu, Shi-Yu Wang & Li-Yong Zhang

  3. School of Engineering, Hong Kong University of Science and Technology, Hong Kong, China

    Jie Pan

Authors
  1. Fan Deng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jie Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shi-Yu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jie Pan
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Li-Yong Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fan Deng.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Deng, F., Lu, J., Wang, SY. et al. A distributed PDP model based on spectral clustering for improving evaluation performance. World Wide Web 22, 1555–1576 (2019). https://doi.org/10.1007/s11280-018-0588-8

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-018-0588-8

Keywords

Search

Navigation