Statistics & clustering based framework for efficient XACML policy evaluation

Authors:
Said Marouf;Mohamed Shehab;Anna Squicciarini;Smitha Sundareswaran
Affiliations:
Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC;Department of Software and Information Systems, University of North Carolina at Charlotte, Charlotte, NC;College of Information Sciences and Technology, The Pennsylvania State University, University Park, PA;College of Information Sciences and Technology, The Pennsylvania State University, University Park, PA
Venue:
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Year:
2009

Citing 10
Cited 0

On self-organizing sequential search heuristics

Communications of the ACM
Extending query rewriting techniques for fine-grained access control

SIGMOD '04 Proceedings of the 2004 ACM SIGMOD international conference on Management of data
Dynamic rule-ordering optimization for high-speed firewall filtering

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Packet classifiers in ternary CAMs can be smaller

SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
An approach to evaluate policy similarity

Proceedings of the 12th ACM symposium on Access control models and technologies
Enforcing Privacy by Means of an Ontology Driven XACML Framework

IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
XACML Policy Integration Algorithms

ACM Transactions on Information and System Security (TISSEC)
Automated xacml policy reconfiguration for evaluation optimisation

Proceedings of the fourth international workshop on Software engineering for secure systems
Xengine: a fast and scalable XACML policy evaluation engine

SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Quantified Score

Hi-index	0.04

Visualization

Abstract

The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly Increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a policy set and policy respectively in respect to target subjects. Furthermore, we propose a usage based framework that computes access request statistics to dynamically optimize the ordering of policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than the standard Sun PDP.