An efficient policy evaluation engine with locomotive algorithm

The evaluation performance of PDP (policy decision point), especially in large-scale policy sets, is one of the most significant challenges in XACML (eXtensible Access Control Markup Language). With high time-consuming and extensive storage policies, large-scale policy sets are becoming more complicated when their evaluation performance need to be improved. Based on numericalization and batch processing, a new locomotive algorithm is proposed to design and implement a novel policy evaluation engine called XDPNBE that can efficiently deal with large-scale policy sets and make authorization decisions in multiple circumstances. XDPNBE enables efficient decisions within an attributed-based access control framework that has a strong promotion of evaluation performance. By simulating requests, XDPNBE is compared with the Sun PDP, XEngine, HPEngine and SBA-XACML. Experimental results show that if the number of requests reaches 10,000, the evaluation time of XDPNBE on the large-scale policy set with 120,000 rules is approximately 0.21%, 4.69%, 5.67% and 9.66% of that of the Sun PDP, XEngine, HPEngine and SBA-XACML, respectively.

[1]  Shehzad Khalid,et al.  Security and privacy based access control model for internet of connected vehicles , 2019, Future Gener. Comput. Syst..

[2]  Chang-Dong Wang,et al.  Establishment of rule dictionary for efficient XACML policy management , 2019, Knowl. Based Syst..

[3]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[4]  Tao Xie,et al.  Designing Fast and Scalable XACML Policy Evaluation Engines , 2011, IEEE Transactions on Computers.

[5]  Azzam Mourad,et al.  SBA-XACML: Set-based approach providing efficient policy decision process for accessing Web services , 2015, Expert Syst. Appl..

[6]  Tao Xie,et al.  Automated Test Generation for Access Control Policies via Change-Impact Analysis , 2007, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007).

[7]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[8]  Cees T. A. M. de Laat,et al.  Multi-data-types interval decision diagrams for XACML evaluation engine , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[9]  Yves Le Traon,et al.  Refactoring access control policies for performance improvement , 2012, ICPE '12.

[10]  Flemming Nielson,et al.  The Logic of XACML , 2011, FACS.

[11]  Laura Ricci,et al.  A blockchain based approach for the definition of auditable Access Control systems , 2019, Comput. Secur..

[12]  Adriano Valenzano,et al.  A comprehensive approach to the automatic refinement and verification of access control policies , 2019, Comput. Secur..

[13]  Jouni Similä,et al.  Design for excellence in the context of very large-scale requirements engineering , 2015, 2015 10th International Joint Conference on Software Technologies (ICSOFT).

[14]  Li Qianmu,et al.  基于冗余消除和属性数值化的XACML策略优化方法 (XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization). , 2016 .

[15]  Zhao Li,et al.  Management of access privileges for dynamic access control , 2018, Cluster Computing.

[16]  Hania Gadouche,et al.  A correct-by-construction model for attribute-based access control , 2018, Cluster Computing.

[17]  Bernard Butler,et al.  Measurement and Prediction of Access Control Policy Evaluation Performance , 2015, IEEE Transactions on Network and Service Management.

[18]  Cees T. A. M. de Laat,et al.  Decision Diagrams for XACML Policy Evaluation and Management , 2015, Comput. Secur..

[19]  Jie Lu,et al.  A distributed PDP model based on spectral clustering for improving evaluation performance , 2018, World Wide Web.

[20]  Pan Jun Sun,et al.  XACML policy evaluation optimization research based on attribute weighted clustering and statistics reordering , 2017, 2017 IEEE International Conference on Information and Automation (ICIA).

[21]  Li Xu,et al.  Research on the access control protocol Priccess design of network privacy protection , 2018, Cluster Computing.

[22]  Yaser Jararweh,et al.  An insider threat aware access control for cloud relational databases , 2017, Cluster Computing.

[23]  Yuri Demchenko,et al.  On the Use of SMT Solving for XACML Policy Evaluation , 2016, 2016 IEEE International Conference on Cloud Computing Technology and Science (CloudCom).

[24]  Yves Le Traon,et al.  Transforming and Selecting Functional Test Cases for Security Policy Testing , 2009, 2009 International Conference on Software Testing Verification and Validation.

[25]  Fan Deng,et al.  Elimination of policy conflict to improve the PDP evaluation performance , 2017, J. Netw. Comput. Appl..

[26]  Xiaofeng Liao,et al.  Topology control in lossy wireless sensor networks with delay constraint , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[27]  Yves Le Traon,et al.  Test-Driven Assessment of Access Control in Legacy Applications , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[28]  Farah Zoubeyr,et al.  A Correct-by-Construction Model for Attribute-Based Access Control , 2018, MEDI.

[29]  Anna Cinzia Squicciarini,et al.  Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation , 2011, IEEE Transactions on Services Computing.

[30]  Bhavani M. Thuraisingham,et al.  Role-based integrated access control and data provenance for SOA based net-centric systems , 2011, Proceedings of 2011 IEEE 6th International Symposium on Service Oriented System (SOSE).

[31]  Shuyuan Yang,et al.  Feature selection based dual-graph sparse non-negative matrix factorization for local discriminative clustering , 2018, Neurocomputing.