Advertisement

World Wide Web

, Volume 22, Issue 4, pp 1555–1576 | Cite as

A distributed PDP model based on spectral clustering for improving evaluation performance

  • Fan DengEmail author
  • Jie Lu
  • Shi-Yu Wang
  • Jie Pan
  • Li-Yong Zhang
Article
  • 95 Downloads

Abstract

In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other components. As a critical process in PDP, evaluation of attributes is often implemented in a simple and inefficient way in real applications. In order to improve the PDP evaluation performance, we propose a novel distributed PDP model, called XPDP, based on the combination of two-stage clustering and reordering to eliminate the limitation of computational performance of a single PDP. Firstly, we cluster rules based on subject and use spectral clustering method to perform further clustering. Secondly, the clusters of rules are reordered before evaluation for every inbound request based on similarity. Finally, we introduce a distributed PDP architecture for distributed deployment, providing with a brand new perspective of designing access control systems. A comparison in evaluation performance between the XPDP and the Sun PDP, as well as SBA-XACML, is made. In the experiment of using 10,000 synthetic access requests with three practical policy sets, the XPDP is 3.26 times faster than Sun PDP, and is 1.85 times faster than SBA-XACML. Experimental results show that the PDP evaluation performance can be prominently improved.

Keywords

Policy decision point(PDP) Evaluation performance Clustering and reordering Spectral clustering Distributed deployment 

Notes

Acknowledgments

This work is supported by the scientific research cultivation fund of Xi’an University of Science and Technology in China (201635), the PhD research startup foundation of Xi’an University of Science and Technology in China (2015QDJ072), the natural science foundation of Shaanxi province in China (2017JQ6053), and the national natural science foundation of China (61702408). This work was also supported by the Innovation Group for Interdisciplinary Computing Technologies, College of Computer Science and Technology, Xi’an University of Science and Technology.

References

  1. 1.
    Borders, K., Zhao, X., Prakash, A.: CPOL: high-performance policy evaluation. In: Proceedings of International Conference on Computer and Communications Security, 147–157, ACM (2005)Google Scholar
  2. 2.
    Bui, T., Stoller S.D., Sharma, S.: Fast distributed evaluation of stateful attribute-based access control policies. In: Proceedings of International Conference on Data and Applications Security and Privacy, 101–119, IFIP (2017)Google Scholar
  3. 3.
    Deng, F., Zhang, L.Y.: Elimination of policy conflict to improve the PDP evaluation performance. J. Netw. Comput. Appl. 80(4), 45–57 (2017)CrossRefGoogle Scholar
  4. 4.
    Deng, F., Zhang, L.Y., Zhou, B.Y., Zhang, J.W., Cao, H.Y.: Elimination of the redundancy related to combining algorithms to improve the PDP evaluation performance. Math. Probl. Eng. 2016(4), 1–18 (2016)MathSciNetzbMATHGoogle Scholar
  5. 5.
    Hughes, G., Bultan, T.: Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transfer. 10(6), 503–520 (2008)CrossRefGoogle Scholar
  6. 6.
    Jebbaoui, H., Mourad, A., Otrok, H., Haraty, R.: Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies. Comput. Electr. Eng. 44(C), 91–103 (2015)CrossRefGoogle Scholar
  7. 7.
    Kabir, M.E., Wang, H., Bertino, E.: A role-involved purpose-based access control model. Inf. Syst. Front. 14(3), 809–822 (2012)CrossRefGoogle Scholar
  8. 8.
    Kolovski, V., Hendler, J., Parsia, B.: Analyzing Web access control policies. In: Proceedings of International Conference on World Wide Web, 677–686, ACM (2007)Google Scholar
  9. 9.
    Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 1–10, ACM (2007)Google Scholar
  10. 10.
    Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2013)CrossRefGoogle Scholar
  11. 11.
    Liu, T., Wang, Y.: Beyond scale: an efficient framework for evaluating Web access control policies in the era of big data. In: Proceedings of International Workshop on Security, 316–334, (2015)Google Scholar
  12. 12.
    Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: Proceedings of ACM SIGMETRICS Performance Evaluation Review, 265–276, ACM (2008)Google Scholar
  13. 13.
    Liu, A.X., Chen, F., Hwang, J.H., Xie, T.: Designing fast and scalable XACML policy evaluation engines. IEEE Trans. Comput. 60(12), 1802–1817 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Lorch, M., Proctor, S., Lepro, R., Kafura, D., Shah, S.: First experiences using XACML for access control in distributed systems. In: Proceedings of ACM Workshop on XML Security, 25–37, ACM (2003)Google Scholar
  15. 15.
    Luxburg, U.V.: A tutorial on spectral clustering. Stat. Comput. 17(4), 395–416 (2007)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Statistics & clustering based framework for efficient XACML policy evaluation. In: Proceedings of International Conference on Policies for Distributed Systems and Networks, 118–125, IEEE (2009)Google Scholar
  17. 17.
    Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Adaptive reordering and clustering-based framework for efficient XACML policy evaluation. IEEE Trans. Serv. Comput. 4(4), 300–313 (2011)CrossRefGoogle Scholar
  18. 18.
    Mouelhi, T., Fleurey, F., Baudry, B., Traon, Y.: A model-based framework for security policy specification, deployment and testing. In: Proceedings of International Conference on Model Driven Engineering Languages and Systems, 537–552, (2008)Google Scholar
  19. 19.
    Mouelhi, T., Traon, Y.L., Baudry, B.: Transforming and selecting functional test cases for security policy testing. In: proceedings of international conference on software testing, verification, and validation, 171–180, IEEE (2009)Google Scholar
  20. 20.
    Mourad, A., Jebbaoui, H.: SBA-XACML: set-based approach providing efficient policy decision process for accessing Web services. Expert Syst. Appl. 42(1), 165–178 (2015)CrossRefGoogle Scholar
  21. 21.
    Ng, A.Y., Jordan, M.I., Weiss, Y.: On spectral clustering: analysis and an algorithm. Proc. NIPS. 14(2001), 849–856 (2001)Google Scholar
  22. 22.
    Ngo, C., Demchenko, Y., Laat, C.D.: Decision diagrams for XACML policy evaluation and management. Comput. Secur. 49(5), 1–16 (2015)CrossRefGoogle Scholar
  23. 23.
    Pei, X., Yu, H., Fan, G.: Achieving efficient access control via XACML policy in cloud computing. In: Proceedings of International Conference on Software Engineering and Knowledge Engineering, 110–115 (2015)Google Scholar
  24. 24.
    Ros, S.P., Lischka, M.: Graph-based XACML evaluation. In: Proceedings of ACM Symposium on Access Control Models and Technologies, 83–92, ACM (2012)Google Scholar
  25. 25.
    Sun’s XACML implementation: http://sunxacml.sourceforge.net/
  26. 26.
    Traon, Y.L., Mouelhi, T., Pretschner, A., Baudry, B.: Test-driven assessment of access control in legacy applications. In: proceedings of international conference on software testing, verification, and validation, 238–247, IEEE (2008)Google Scholar
  27. 27.
    Turkmen, F., Demchenko Y.: On the use of SMT solving for XACML policy evaluation. In: Proceedings of International Conference on Cloud Computing Technology and Science, 539–544, IEEE (2016)Google Scholar
  28. 28.
    Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)CrossRefGoogle Scholar
  29. 29.
    Wang, H., Zhang, Y., Cao, J.: Access control management for ubiquitous computing. Futur. Gener. Comput. Syst. 24(8), 870–878 (2008)CrossRefGoogle Scholar
  30. 30.
    Wang, Y.Z., Feng, D.G., Zhang, L.W., Zhang, M.: XACML policy evaluation engine based on multi-level optimization technology. J. Softw. 22(2), 323–338 (2011)CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.School of Computer Science and TechnologyXi’an University of Science and TechnologyXi’anChina
  2. 2.School of SoftwareXidian UniversityXi’anChina
  3. 3.School of EngineeringHong Kong University of Science and TechnologyHong KongChina

Personalised recommendations