An experimental testbed to predict the performance of XACML Policy Decision Points

The performance and scalability of access control systems is a growing concern as organisations deploy ever more complex communications and content management systems. This paper describes how an (offline) experimental testbed may be used to address performance concerns. To begin, timing measurements are collected from a server component incorporating the Policy Decision Point (PDP) under test, using representative policies and corresponding requests. Our experiments with two XACML PDP implementations show that measured request service times are typically clustered by request type; thus an algorithm for request cluster identification is presented. Cluster characterisations are used as inputs to a PDP performance model for a given policy/request mix and an analytic (queueing) model is used to estimate the equilibrium server load for different mixes of request clusters. The analytic performance prediction model is validated and extended by discrete event simulation of a PDP subject to additional load. These predictive models enable network administrators to explore the capacity of the PDP for different overall loadings (requests per unit time) and profiles (relative frequencies) of requests.

[1]  Anna Cinzia Squicciarini,et al.  Statistics & Clustering Based Framework for Efficient XACML Policy Evaluation , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[2]  Gilbert Hamann,et al.  A framework for measurement based performance modeling , 2008, WOSP '08.

[3]  Bernard Butler,et al.  XACML policy performance evaluation using a flexible load testing framework , 2010, CCS '10.

[4]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[5]  Brendan Jennings,et al.  The policy continuum-Policy authoring and conflict analysis , 2008, Comput. Commun..

[6]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[7]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[8]  Bruno Crispo,et al.  Performance evaluation of XACML PDP implementations , 2008, SWS '08.

[9]  S. Wittevrongel,et al.  Queueing Systems , 2019, Introduction to Stochastic Processes and Simulation.

[10]  Tao Xie,et al.  Defining and Measuring Policy Coverage in Testing Access Control Policies , 2006, ICICS.

[11]  Tao Xie,et al.  Conformance Checking of Access Control Policies Specified in XACML , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[12]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[13]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[14]  Leonard Kleinrock,et al.  Queueing Systems: Volume I-Theory , 1975 .

[15]  Philip Miseldine,et al.  Automated xacml policy reconfiguration for evaluation optimisation , 2008, SESS '08.