A Similarity Measure for Comparing XACML Policies

Assessing similarity of policies is crucial in a variety of scenarios, such as finding the cloud service providers which satisfy users' privacy concerns, or finding collaborators which have matching security and privacy settings. Existing approaches to policy similarity analysis are mainly based on logical reasoning and Boolean function comparison. Such approaches are computationally expensive and do not scale well for large heterogeneous distributed environments (like the cloud). In this paper, we propose a policy similarity measure as a lightweight ranking approach to help one party quickly locate parties with potentially similar policies. In particular, given a policy P, the similarity measure assigns a ranking (similarity score) to each policy compared with P. We formally define the measure by taking into account various factors and prove several important properties of the measure. Our extensive experimental study demonstrates the efficiency and practical value of our approach.

[1]  Bei Wu,et al.  A Policy Rule Dissimilarity Evaluation Approach Based on Fuzzy Theory , 2009, 2009 International Conference on Computational Intelligence and Software Engineering.

[2]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[3]  Dan Lin,et al.  A Brokerage-Based Approach for Cloud Service Selection , 2012, 2012 IEEE Fifth International Conference on Cloud Computing.

[4]  E. Bertino,et al.  A Similarity Measure for Comparing Access Control Policies , 2009 .

[5]  Jorge Lobo,et al.  Policy ratification , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[6]  Achim D. Brucker,et al.  A Framework for Managing and Analyzing Changes of Security Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[7]  Brendan Jennings,et al.  Using an Information Model and Associated Ontology for Selection of Policies for Conflict Analysis , 2008, 2008 IEEE Workshop on Policies for Distributed Systems and Networks.

[8]  Jorge Lobo,et al.  An approach to evaluate policy similarity , 2007, SACMAT '07.

[9]  Pierre-Yves Schobbens,et al.  Model-Checking Access Control Policies , 2004, ISC.

[10]  Emil C. Lupu,et al.  Conflicts in Policy-Based Distributed Systems Management , 1999, IEEE Trans. Software Eng..

[11]  Ed Dawson,et al.  Policy Filtering with XACML , 2011 .

[12]  Elisa Bertino,et al.  XACML Policy Integration Algorithms , 2008, TSEC.

[13]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[14]  Morris Sloman,et al.  Policy Conflict Analysis in Distributed System Management , 1994 .

[15]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[16]  Hyoil Han,et al.  A survey on ontology mapping , 2006, SGMD.

[17]  Michael Backes,et al.  Efficient comparison of enterprise privacy policies , 2004, SAC '04.

[18]  Luigi V. Mancini,et al.  On the specification and evolution of access control policies , 2001, SACMAT '01.

[19]  Elisa Bertino,et al.  XACML policy integration algorithms: not to be confused with XACML policy combination algorithms! , 2006, SACMAT '06.

[20]  Paul T. Jaeger,et al.  Cloud Computing and Information Policy: Computing in a Policy Cloud? , 2008 .

[21]  Jorge Lobo,et al.  EXAM: a comprehensive environment for the analysis of access control policies , 2010, International Journal of Information Security.

[22]  Elisa Bertino,et al.  Privacy-preserving similarity measurement for access control policies , 2010, DIM '10.