Towards an algebraic approach to solve policy conflicts

Policy-based security is one of the most innovative area in the security arena. A policy represents the high level targets and is applied by using sets of rules. A rule consists in a set of conditions expressing the domain of application and a set of actions that must be performed when conditions are met. One of the major problems is the conflict management, that is the decision of the action to be executed when more than one rule applies. In this paper we present a formal definition of policy, policy rules (in if-conditions-then-actions format) and policy conflicts and we use semi-lattices to solve inconsistencies. These algebraic structures are helpful to convey information about the actions to enforce when conflicts occur as well as the importance or the severity of the actions. We also extend the semi-lattice based approach to AND-ed and OR-ed sets of actions.

[1]  Andrea Westerinen,et al.  Terminology for Policy-Based Management , 2001, RFC.

[2]  Alessandra Russo,et al.  Using event calculus to formalise policy specification and analysis , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[3]  Sabrina De Capitani di Vimercati,et al.  An algebra for composing access control policies , 2002, TSEC.

[4]  Eric Vyncke,et al.  IPsec Configuration Policy Information Model , 2003, RFC.

[5]  Antonis C. Kakas,et al.  The role of abduction in logic programming , 1998 .

[6]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[7]  L. Chambadal,et al.  Thèorie des treillis , 1971 .

[8]  Brian Weis,et al.  The Group Domain of Interpretation , 2003, RFC.

[9]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[10]  Francesca Rossi,et al.  Semiring-based constraint solving and optimization , 1997 .

[11]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[12]  Andrea Westerinen,et al.  Policy Core Information Model - Version 1 Specification , 2001, RFC.

[13]  John S. Baras,et al.  Towards automated negotiation of access control policies , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[14]  Morris Sloman,et al.  Policies Hierarchies for Distributed Systems Management , 1993, IEEE J. Sel. Areas Commun..