skip to main content
10.1145/1266840.1266842acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
Article

An approach to evaluate policy similarity

Published: 20 June 2007 Publication History

Abstract

Recent collaborative applications and enterprises very often need to efficiently integrate their access control policies. An important step in policy integration is to analyze the similarity of policies. Existing approaches to policy similarity analysis are mainly based on logical reasoning and boolean function comparison. Such approaches are computationally expensive and do not scale well for large heterogeneous distributed environments (like Grid computing systems). In this paper, we propose a policy similarity measure as a filter phase for policy similarity analysis. This measure provides a lightweight approach to pre-compile a large amount of policies and only return the most similar policies for further evaluation. In the paper we formally define the measure, by taking into account both the case of categorical attributes and numeric attributes. Detailed algorithms are presented for the similarly computation. Results of our case study demonstrates the efficiency and practical value of our approach.

References

[1]
D. Agrawal, J. Giles, K. W. Lee, and J. Lobo. Policy ratification. In Proceedings of the 6th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY), pages 223--232, 2005.
[2]
T. Ahmed and A. R. Tripathi. Static verification of security requirements in role based cscw systems. In Proceedings of the 8th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 196--203, 2003.
[3]
M. Backes, G. Karjoth, W. Bagga, and M. Schunter. Efficient comparison of enterprise privacy policies. In Proceedings of the 2004 ACM Symposium on Applied Computing (SAC), pages 375--382, 2004.
[4]
M. Ehrig, P. Haase, M. Hefke, and N. Stojanovic. Similarity for ontologies - a comprehensive framework. In Proceedings of the 13th European Conference on Information Systems, Information Systems in a Rapidly Changing Economy (ECIS), 2005.
[5]
K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C. Tschantz. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th International Conference on Software Engineering (ICSE), pages 196--205, 2005.
[6]
D. P. Guelev, M. Ryan, and P. Schobbens. Model-checking access control policies. In Proceedings of the 7th Information Security Conference (ISC), pages 219--230, 2004.
[7]
T. Hoad and J. Zobel. Methods for identifying versioned and plagiarized documents. Journal of the American Society for Information Science and Technology, 54(3):203--215, 2003.
[8]
M. Koch, L. V. Mancini, and F. P.-Presicce. On the specification and evolution of access control policies. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 121--130, 2001.
[9]
E. Lupu and M. Sloman. Conflicts in policy-based distributed systems management. IEEE Transactions on Software Engineering (TSE), 25(6):852--869, 1999.
[10]
P. Mazzoleni, E. Bertino, and B. Crispo. Xacml policy integration algorithms. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 223--232, 2006.
[11]
S. Melnik, H. Garcia-Molina, and E. Rahm. Similarity flooding: A versatile graph matching algorithm and its application to schema matching. In Proceedings of the 18th International Conference on Data Engineering (ICDE), pages 117--128, 2002.
[12]
D. Metzler, Y. Bernstein, W. B. Croft, A. Moffat, and J. Zobel. Similarity measures for tracking information flow. In Proceedings of the 14th ACM international conference on Information and knowledge management (CIKM), pages 517--524, 2005.
[13]
T. Milo and S. Zohar. Using schema matching to simplify heterogeneous data translation. In Proceedings of the 24th International Conference of Very Large Data Bases (VLDB), pages 122--133, 24-27 1998.
[14]
J. D. Moffett and M. S. Sloman. Policy conflict analysis in distributed system management. Journal of Organizational Computing, 1993.
[15]
T. Moses. Extensible access control markup language (xacml) version 1.0. Technical report, OASIS, 2003.
[16]
E. Rahm and P. A. Bernstein. A survey of approaches to automatic schema matching. The International Journal on Very Large Data Bases (VLDB Journal), 10(4):334--350, 2001.
[17]
A. Schaad, J. D. Moffett, and J. Jacob. The role-based access control system of a european bank: a case study and discussion. In Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pages 3--9, 2001.
[18]
N. Zhang, M. Ryan, and D. P. Guelev. Evaluating access control policies through model checking. In Proceedings of the 8th Information Security Conference (ISC), pages 446--460, 2005.

Cited By

View all
  • (2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
  • (2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
  • (2021)An Effective Naming Heterogeneity Resolution for XACML Policy Evaluation in a Distributed EnvironmentSymmetry10.3390/sym1312239413:12(2394)Online publication date: 12-Dec-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies
June 2007
254 pages
ISBN:9781595937452
DOI:10.1145/1266840
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 June 2007

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. XACML policies
  2. access control policies
  3. policy similarity measure

Qualifiers

  • Article

Conference

SACMAT07
Sponsor:

Acceptance Rates

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)11
  • Downloads (Last 6 weeks)1
Reflects downloads up to 06 Jan 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Acumen: Analysing the Impact of Organisational Change on Users’ Access EntitlementsComputer Security – ESORICS 202310.1007/978-3-031-51482-1_21(410-430)Online publication date: 11-Jan-2024
  • (2023)FLAP - A Federated Learning Framework for Attribute-based Access Control PoliciesProceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy10.1145/3577923.3583641(263-272)Online publication date: 24-Apr-2023
  • (2021)An Effective Naming Heterogeneity Resolution for XACML Policy Evaluation in a Distributed EnvironmentSymmetry10.3390/sym1312239413:12(2394)Online publication date: 12-Dec-2021
  • (2021)ProFact: A Provenance-Based Analytics Framework for Access Control PoliciesIEEE Transactions on Services Computing10.1109/TSC.2019.290064114:6(1914-1928)Online publication date: 1-Nov-2021
  • (2020)Hierarchy Similarity Analyser-An Approach to Securely Share Electronic Health RecordsData Analytics in Medicine10.4018/978-1-7998-1204-3.ch074(1485-1501)Online publication date: 2020
  • (2020)Hierarchy Similarity AnalyserVirtual and Mobile Healthcare10.4018/978-1-5225-9863-3.ch010(204-220)Online publication date: 2020
  • (2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
  • (2019)A distributed PDP model based on spectral clustering for improving evaluation performanceWorld Wide Web10.1007/s11280-018-0588-822:4(1555-1576)Online publication date: 1-Jul-2019
  • (2018)Weighted Access Control Policies Cohabitation in Distributed SystemsInnovations in Bio-Inspired Computing and Applications10.1007/978-3-319-76354-5_32(350-360)Online publication date: 10-Mar-2018
  • (2018)Policy Engineering in RBAC and ABACFrom Database to Cyber Security10.1007/978-3-030-04834-1_2(24-54)Online publication date: 30-Nov-2018
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media