A distributed PDP model based on spectral clustering for improving evaluation performance

In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other components. As a critical process in PDP, evaluation of attributes is often implemented in a simple and inefficient way in real applications. In order to improve the PDP evaluation performance, we propose a novel distributed PDP model, called XPDP, based on the combination of two-stage clustering and reordering to eliminate the limitation of computational performance of a single PDP. Firstly, we cluster rules based on subject and use spectral clustering method to perform further clustering. Secondly, the clusters of rules are reordered before evaluation for every inbound request based on similarity. Finally, we introduce a distributed PDP architecture for distributed deployment, providing with a brand new perspective of designing access control systems. A comparison in evaluation performance between the XPDP and the Sun PDP, as well as SBA-XACML, is made. In the experiment of using 10,000 synthetic access requests with three practical policy sets, the XPDP is 3.26 times faster than Sun PDP, and is 1.85 times faster than SBA-XACML. Experimental results show that the PDP evaluation performance can be prominently improved.

[1]  Dennis G. Kafura,et al.  First experiences using XACML for access control in distributed systems , 2003, XMLSEC '03.

[2]  Wang Ya,et al.  XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology , 2011 .

[3]  Yanchun Zhang,et al.  Access control management for ubiquitous computing , 2008, Future Gener. Comput. Syst..

[4]  Yves Le Traon,et al.  Test-Driven Assessment of Access Control in Legacy Applications , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[5]  Ramzi A. Haraty,et al.  Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies , 2015, Comput. Electr. Eng..

[6]  Kevin Borders,et al.  CPOL: high-performance policy evaluation , 2005, CCS '05.

[7]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[8]  Félix Gómez Mármol,et al.  Graph-based XACML evaluation , 2012, SACMAT '12.

[9]  Michael I. Jordan,et al.  On Spectral Clustering: Analysis and an algorithm , 2001, NIPS.

[10]  Yanchun Zhang,et al.  A flexible payment scheme and its role-based access control , 2005, IEEE Transactions on Knowledge and Data Engineering.

[11]  Yves Le Traon,et al.  Transforming and Selecting Functional Test Cases for Security Policy Testing , 2009, 2009 International Conference on Software Testing Verification and Validation.

[12]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[13]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[14]  Tao Xie,et al.  Designing Fast and Scalable XACML Policy Evaluation Engines , 2011, IEEE Transactions on Computers.

[15]  Guisheng Fan,et al.  Achieving Efficient Access Control via XACML Policy in Cloud Computing , 2015, ICSE 2015.

[16]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[17]  Fan Deng,et al.  Elimination of the Redundancy Related to Combining Algorithms to Improve the PDP Evaluation Performance , 2016 .

[18]  Jorge Lobo,et al.  A Similarity Measure for Comparing XACML Policies , 2013, IEEE Transactions on Knowledge and Data Engineering.

[19]  Azzam Mourad,et al.  SBA-XACML: Set-based approach providing efficient policy decision process for accessing Web services , 2015, Expert Syst. Appl..

[20]  Dengguo Feng,et al.  XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology: XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology , 2011 .

[21]  Leilei Cao,et al.  Study on the Control Strategy of Shifting Time Involving Multigroup Clutches , 2016 .

[22]  Scott D. Stoller,et al.  Fast Distributed Evaluation of Stateful Attribute-Based Access Control Policies , 2017, DBSec.

[23]  Fan Deng,et al.  Elimination of policy conflict to improve the PDP evaluation performance , 2017, J. Netw. Comput. Appl..

[24]  Jorge Lobo,et al.  An approach to evaluate policy similarity , 2007, SACMAT '07.

[25]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[26]  Tong Liu,et al.  Beyond Scale: An Efficient Framework for Evaluating Web Access Control Policies in the Era of Big Data , 2015, IWSEC.

[27]  Ulrike von Luxburg,et al.  A tutorial on spectral clustering , 2007, Stat. Comput..

[28]  Elisa Bertino,et al.  A role-involved purpose-based access control model , 2012, Inf. Syst. Frontiers.

[29]  Yuri Demchenko,et al.  On the Use of SMT Solving for XACML Policy Evaluation , 2016, 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[30]  Anna Cinzia Squicciarini,et al.  Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation , 2011, IEEE Transactions on Services Computing.

[31]  Anna Cinzia Squicciarini,et al.  Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.