Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation

The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. This calls for high performance XACML policy evaluation engines. A policy evaluation engine can easily become a bottleneck when enforcing XACML policies with a large number of rules. In this paper we propose an adaptive approach for XACML policy optimization. We apply a clustering technique to policy sets based on the K-means algorithm. In addition to clustering we find that, since a policy set has a variable number of policies and a policy has a variable number of rules, their ordering is important for efficient execution. By clustering policy sets and reordering policies and rules in a policy set and policies respectively, we formulated and solved the optimal policy execution problem. The proposed clustering technique categorizes policies and rules within a policy set and policy respectively in respect to target subjects. When a request is received, it is redirected to applicable policies and rules that correspond to its subjects; hence, avoiding unnecessary evaluations from occurring. We also propose a usage based framework that computes access request statistics to dynamically optimize the ordering access control to policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than standard Sun PDP.

[1]  Philip Miseldine,et al.  Automated xacml policy reconfiguration for evaluation optimisation , 2008, SESS '08.

[2]  Udo Kelter,et al.  Enforcing Privacy by Means of an Ontology Driven XACML Framework , 2007, Third International Symposium on Information Assurance and Security.

[3]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[4]  Ian Witten,et al.  Data Mining , 2000 .

[5]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[6]  Tao Xie,et al.  Xengine: a fast and scalable XACML policy evaluation engine , 2008, SIGMETRICS '08.

[7]  Jorge Lobo,et al.  An approach to evaluate policy similarity , 2007, SACMAT '07.

[8]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[9]  Ehab Al-Shaer,et al.  Dynamic rule-ordering optimization for high-speed firewall filtering , 2006, ASIACCS '06.

[10]  Elisa Bertino,et al.  XACML Policy Integration Algorithms , 2008, TSEC.

[11]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[12]  Tao Xie,et al.  Defining and Measuring Policy Coverage in Testing Access Control Policies , 2006, ICICS.

[13]  Ronald L. Rivest,et al.  On self-organizing sequential search heuristics , 1976, CACM.

[14]  Udo Kelter,et al.  Enforcing Privacy by Means of an Ontology Driven XACML Framework , 2007 .

[15]  James A. Hendler,et al.  Analyzing web access control policies , 2007, WWW '07.

[16]  Tevfik Bultan,et al.  Automated Verification of XACML Policies Using a SAT Solver ? , 2007 .

[17]  Jia Wang,et al.  Packet classifiers in ternary CAMs can be smaller , 2006, SIGMETRICS '06/Performance '06.

[18]  Ehab Al-Shaer,et al.  Adaptive Statistical Optimization Techniques for Firewall Packet Filtering , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.