A Graph and Clustering-Based Framework for Efficient XACML Policy Evaluation

EXtensible Access Control Markup Language (XACML) is one of the standardized languages for specifying access control policies. Policies described by the XACML are used to express the security requirement in the network and information system when we study authorization access control. With the aim to improve the Policy Decision Point (PDP) evaluation performance, we put forward a Graph and Clustering-Based Framework, employing the aggregate function. First, we partition the rule set into subsets. For the single value, we select the best partition quantity based on the aggregate function. As for the interval value, we handle with the start point and the finish point, respectively, in the same way as single value. Second, the policy set is split according to the partition of rule set. In this way, not only single values, but also interval values are taken into consideration. After that, we explore the searching tree to obtain the possibly matched rules. Finally, we construct the combining tree and output the policy decision on the basis of it. The experimental results show that our approach is orders of magnitude better than the Sun PDP. A comparison in evaluation performance between the redundancy detecting and eliminating engine and the Sun PDP, as well as XEngine and SBA-XACML, is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating redundancies.

Elimination of the Redundancy Related to Combining Algorithms to Improve the PDP Evaluation Performance

If there are lots of redundancies in the policies loaded on the policy decision point (PDP) in the authorization access control model, the system will occupy more resources in operation and consumes plenty of evaluation time and storage space. In order to detect and eliminate policy redundancies and then improve evaluation performance of the PDP, aredundancy related to combining algorithmsdetecting and eliminating engine is proposed in this paper. This engine cannot only detect and eliminate theredundancy related to combining algorithms, but also evaluate access requests. AResource Brick Wallis constructed by the engine according to the resource attribute of a policy’s target attributes. By theResource Brick Walland the policy/rule combining algorithms, three theorems for detectingredundancies related to combining algorithmsare proposed. A comparison of the evaluation performance of theredundancy related to combining algorithmsdetecting and eliminating engine with that of Sun PDP is made. Experimental results show that the evaluation performance of the PDP can be prominently improved by eliminating theredundancy related to combining algorithms.

Policy Decomposition for Evaluation Performance Improvement of PDP

In conventional centralized authorization models, the evaluation performance of policy decision point (PDP) decreases obviously with the growing numbers of rules embodied in a policy. Aiming to improve the evaluation performance of PDP, a distributed policy evaluation engine called XDPEE is presented. In this engine, the unicity of PDP in the centralized authorization model is changed by increasing the number of PDPs. A policy should be decomposed into multiple subpolicies each with fewer rules by using a decomposition method, which can have the advantage of balancing the cost of subpolicies deployed to each PDP. Policy decomposition is the key problem of the evaluation performance improvement of PDPs. A greedy algorithm withO(nlgn)time complexity for policy decomposition is constructed. In experiments, the policy of the LMS, VMS, and ASMS in real applications is decomposed separately into multiple subpolicies based on the greedy algorithm. Policy decomposition guarantees that the cost of subpolicies deployed to each PDP is equal or approximately equal. Experimental results show that (1) the method of policy decomposition improves the evaluation performance of PDPs effectively and that (2) the evaluation time of PDPs reduces with the growing numbers of PDPs.

Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA Environments

Controlling access to the Web services of public agencies and private corporations depends primarily on specifying and deploying functional security rules to satisfy strict regulations imposed by governments, particularly in the financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to the security of Web-based information systems, namely, the automatic transformation of security rules into WS-BPEL (or BPEL, for short) processes. The former are instantiated from security-rule patterns written in a graphical notation, called ASTD that is close to statecharts. The latter are executed by a BPEL engine integrated into a policy decision point, which is a component of a policy enforcement manager similar to that proposed in the XACML standard.

Enforcing ASTD Access-Control Policies with WS-BPEL Processes in SOA Environments

Controlling access to the Web services of public agencies and private corporations depends primarily on specifying and deploying functional security rules to satisfy strict regulations imposed by governments, particularly in the financial and health sectors. This paper focuses on one aspect of the SELKIS and EB3SEC projects related to the security of Web-based information systems, namely, the automatic transformation of security rules into WS-BPEL (or BPEL, for short) processes. The former are instantiated from security-rule patterns written in a graphical notation, called ASTD that is close to statecharts. The latter are executed by a BPEL engine integrated into a policy decision point, which is a component of a policy enforcement manager similar to that proposed in the XACML standard.