ABSTRACT
Recent collaborative applications and enterprises very often need to efficiently integrate their access control policies. An important step in policy integration is to analyze the similarity of policies. Existing approaches to policy similarity analysis are mainly based on logical reasoning and boolean function comparison. Such approaches are computationally expensive and do not scale well for large heterogeneous distributed environments (like Grid computing systems). In this paper, we propose a policy similarity measure as a filter phase for policy similarity analysis. This measure provides a lightweight approach to pre-compile a large amount of policies and only return the most similar policies for further evaluation. In the paper we formally define the measure, by taking into account both the case of categorical attributes and numeric attributes. Detailed algorithms are presented for the similarly computation. Results of our case study demonstrates the efficiency and practical value of our approach.
- D. Agrawal, J. Giles, K. W. Lee, and J. Lobo. Policy ratification. In Proceedings of the 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pages 223--232, 2005. Google ScholarDigital Library
- T. Ahmed and A. R. Tripathi. Static verification of security requirements in role based cscw systems. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 196--203, 2003. Google ScholarDigital Library
- M. Backes, G. Karjoth, W. Bagga, and M. Schunter. Efficient comparison of enterprise privacy policies. In Proceedings of the 2004 ACM Symposium on Applied Computing (SAC), pages 375--382, 2004. Google ScholarDigital Library
- M. Ehrig, P. Haase, M. Hefke, and N. Stojanovic. Similarity for ontologies - a comprehensive framework. In Proceedings of the 13th European Conference on Information Systems, Information Systems in a Rapidly Changing Economy (ECIS), 2005.Google Scholar
- K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th International Conference on Software Engineering (ICSE), pages 196--205, 2005. Google ScholarDigital Library
- D. P. Guelev, M. Ryan, and P. Schobbens. Model-checking access control policies. In Proceedings of the 7th Information Security Conference (ISC), pages 219--230, 2004.Google ScholarCross Ref
- T. Hoad and J. Zobel. Methods for identifying versioned and plagiarized documents. Journal of the American Society for Information Science and Technology, 54(3):203--215, 2003. Google ScholarDigital Library
- M. Koch, L. V. Mancini, and F. P.-Presicce. On the specification and evolution of access control policies. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 121--130, 2001. Google ScholarDigital Library
- E. Lupu and M. Sloman. Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering (TSE), 25(6):852--869, 1999. Google ScholarDigital Library
- P. Mazzoleni, E. Bertino, and B. Crispo. Xacml policy integration algorithms. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 223--232, 2006. Google ScholarDigital Library
- S. Melnik, H. Garcia-Molina, and E. Rahm. Similarity flooding: A versatile graph matching algorithm and its application to schema matching. In Proceedings of the 18th International Conference on Data Engineering (ICDE), pages 117--128, 2002. Google ScholarDigital Library
- D. Metzler, Y. Bernstein, W. B. Croft, A. Moffat, and J. Zobel. Similarity measures for tracking information flow. In Proceedings of the 14th ACM international conference on Information and knowledge management (CIKM), pages 517--524, 2005. Google ScholarDigital Library
- T. Milo and S. Zohar. Using schema matching to simplify heterogeneous data translation. In Proceedings of the 24th International Conference of Very Large Data Bases (VLDB), pages 122--133, 24-27 1998. Google ScholarDigital Library
- J. D. Moffett and M. S. Sloman. Policy conflict analysis in distributed system management. Journal of Organizational Computing, 1993.Google Scholar
- T. Moses. Extensible access control markup language (xacml) version 1.0. Technical report, OASIS, 2003.Google Scholar
- E. Rahm and P. A. Bernstein. A survey of approaches to automatic schema matching. The International Journal on Very Large Data Bases (VLDB Journal), 10(4):334--350, 2001. Google ScholarDigital Library
- A. Schaad, J. D. Moffett, and J. Jacob. The role-based access control system of a european bank: a case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 3--9, 2001. Google ScholarDigital Library
- N. Zhang, M. Ryan, and D. P. Guelev. Evaluating access control policies through model checking. In Proceedings of the 8th Information Security Conference (ISC), pages 446--460, 2005. Google ScholarDigital Library
Index Terms
An approach to evaluate policy similarity
Recommendations
Methods and Tools for Policy Analysis
Policy-based management of computer systems, computer networks and devices is a critical technology especially for present and future systems characterized by large-scale systems with autonomous devices, such as robots and drones. Maintaining reliable ...
Access control enforcement testing
AST '13: Proceedings of the 8th International Workshop on Automation of Software TestA policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access ...
From model-driven specification to design-level set-based analysis of XACML policies
We provide UML profile for model-driven specification of XACML policies.We propose a set-based design-level XACML policy analysis approach.We devise algorithms for design-level detection of conflicts, redundancies, and flaws.We provide dynamic policies ...
Comments