A novel conflict detection method for ABAC security policies

Abstract Attributed-based access control (ABAC) is widely used in systems with large resources and users such as the Industrial Internet of Things (IIoT), Industrial information integration system, and so on. Attribute-based security policy is highly flexible and expressive, but conflicts between policies occur frequently, affecting the security and availability of the system. Based on analyzing the ABAC security policies represented by the eXtensible Access Control Markup Language (XACML), this study proposes a formal definition of explicit conflicting rules, probable-conflicting rules, and never-conflicting rules. Also, we found that conflicts occur on a pair of rules in which attribute expressions have overlapping values and that be applied to the same request. A new conflict detection method is proposed in which implicit conflicting rules are converted to explicit conflicting rules by completing the absent attribute expressions and then compare all the rules in pairs to detect all the probable conflicting rules in a rule set. In this way, we can analyze the conflicting probability of each pair of policy rules. Furthermore, we define two metrics to evaluate the conflict level of a rule set. Experiment results show that implicit conflicting rules are more numerous than explicit conflicting rules in the policy set. Also, with an increase in the number of attribute expressions in each rule, the conflicting level of a rule set is significantly reduced, which provides a reference for policymaking. With this method, administrators can formulate more robust and efficient security policies, improve the security and availability of systems.

[1]  B. Balamurugan,et al.  An algebra for composing access control policies in cloud , 2015, International Confernce on Innovation Information in Computing Technologies.

[2]  Stan Matwin,et al.  Strategies for Reducing Risks of Inconsistencies in Access Control Policies , 2010, 2010 International Conference on Availability, Reliability and Security.

[3]  Jin Ho Kim,et al.  A Survey of IoT Security: Risks, Requirements, Trends, and Key Technologies , 2017 .

[4]  Sanjay Jha,et al.  Analyzing XACML policies using answer set programming , 2018, International Journal of Information Security.

[5]  Jiang Liu,et al.  Conflicts analysis and resolution for access control policies , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[6]  Ming Chen,et al.  A method of conflict detection and resolution for security policy based on matrix description , 2017, 2017 7th IEEE International Conference on Electronics Information and Emergency Communication (ICEIEC).

[7]  Jin Tong,et al.  Attributed based access control (ABAC) for Web services , 2005, IEEE International Conference on Web Services (ICWS'05).

[8]  Tevfik Bultan,et al.  Automated verification of access control policies using a SAT solver , 2008, International Journal on Software Tools for Technology Transfer.

[9]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[10]  Jerry den Hartog,et al.  Analysis of XACML Policies with SMT , 2015, POST.

[11]  Yang Lu,et al.  Industry 4.0: A survey on technologies, applications and open research issues , 2017, J. Ind. Inf. Integr..

[12]  Luigi V. Mancini,et al.  Conflict Detection and Resolution in Access Control Policy Specifications , 2002, FoSSaCS.

[13]  Elisa Bertino,et al.  Methods and Tools for Policy Analysis , 2019, ACM Comput. Surv..

[14]  Feng Huang,et al.  A DL-based method for access control policy conflict detecting , 2009, Internetware.

[15]  Douglas M. Blough,et al.  An attribute-based authorization policy framework with dynamic conflict resolution , 2010, IDTRUST '10.

[16]  Geovane Fedrecheski,et al.  Attribute-Based Access Control for the Swarm With Distributed Policy Management , 2019, IEEE Transactions on Consumer Electronics.

[17]  Amy P. Felty,et al.  A verified algorithm for detecting conflicts in XACML access control rules , 2016, CPP.

[18]  Sushil Jajodia,et al.  A logic-based framework for attribute based access control , 2004, FMSE '04.

[19]  Joel H. Saltz,et al.  Detection of Conflicts and Inconsistencies in Taxonomy-Based Authorization Policies , 2011, 2011 IEEE International Conference on Bioinformatics and Biomedicine.

[20]  Kamel Adi,et al.  Inconsistency detection method for access control policies , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[21]  Elisa Bertino,et al.  ProFact: A Provenance-based Analytics Framework for Access Control Policies , 2019 .

[22]  Peilin Hong,et al.  An Attribute-Based Controlled Collaborative Access Control Scheme for Public Cloud Storage , 2019, IEEE Transactions on Information Forensics and Security.

[23]  Elisa Bertino,et al.  Provenance-Based Analytics Services for Access Control Policies , 2017, 2017 IEEE World Congress on Services (SERVICES).

[24]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[25]  Alexey Finogeev,et al.  Information attacks and security in wireless sensor networks of industrial SCADA systems , 2017, J. Ind. Inf. Integr..

[26]  Jean-Claude Royer,et al.  AAL and Static Conflict Detection in Policy , 2016, CANS.

[27]  David W. Chadwick,et al.  Resolving Policy Conflicts - Integrating Policies from Multiple Authors , 2014, CAiSE Workshops.

[28]  Mingfei Wang,et al.  Attention Rate of Attribute Items: On the Combination of ABAC Rules , 2013, 2013 International Conference on Information Science and Cloud Computing Companion.

[29]  Álvaro Enrique Arenas,et al.  Detecting Conflicts in ABAC Policies with Rule-Reduction and Binary-Search Techniques , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[30]  Christian Le,et al.  A Blockchain based Access Control Scheme , 2018, ICETE.

[31]  Elisa Bertino,et al.  XACML Policy Evaluation with Dynamic Context Handling , 2015, IEEE Trans. Knowl. Data Eng..

[32]  Jeroen van der Ham,et al.  A Survey of Network Traffic Anonymisation Techniques and Implementations , 2018, ACM Comput. Surv..

[33]  Kamel Adi,et al.  A Data Classification Method for Inconsistency and Incompleteness Detection in Access Control Policy Sets , 2016, International Journal of Information Security.

[34]  Paulo S. C. Alencar,et al.  A formal modeling and analysis approach for access control rules, policies, and their combinations , 2016, International Journal of Information Security.

[35]  Yinglin Wang,et al.  A linear classifier based approach for identifying security requirements in open source software development , 2019, J. Ind. Inf. Integr..

[36]  Amy P. Felty,et al.  Using Expert Systems to Statically Detect "Dynamic" Conflicts in XACML , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[37]  Xiaofeng Xia A Conflict Detection Approach for XACML Policies on Hierarchical Resources , 2012, GreenCom.

[38]  Ting Hu,et al.  An Attribute Based Access Control Framework for Healthcare System , 2018 .