Similarity Measure for Security Policies in Service Provider Selection

  • Yanhuang Li
  • Nora Cuppens-Boulahia
  • Jean-Michel Crom
  • Frédéric Cuppens
  • Vincent Frey
  • Xiaoshu Ji
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9478)


The interaction between different applications and services requires expressing their security properties. This is typically defined as security policies, which aim at specifying the diverse privileges of different actors. Today similarity measure for comparing security policies becomes a crucial technique in a variety of scenarios, such as finding the cloud service providers which satisfy client’s security concerns. Existing approaches cover from semantic to numerical dimensions and the main work focuses mainly on XACML policies. However, few efforts have been made to extend the measure approach to multiple policy models and apply it to concrete scenarios. In this paper, we propose a generic and light-weight method to compare and evaluate security policies belonging to different models. Our technique enables client to quickly locate service providers with potentially similar policies. Comparing with other works, our approach takes policy elements’ logic relationships into account and the experiment and implementation demonstrate the efficiency and accuracy of our approach.


IT security Access control Policy evaluation Similarity measure 



The work reported in this paper has been supported by ANRT (Association Nationale de la Recherche et de la Technologie) and Orange as CIFRE (Conventions Industrielles de Formation par la REcherche) thesis and the work of Nora Cuppens-Boulahia and Frédéric Cuppens has been partially carried out in the SUPERCLOUD project, funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 643964.

Supplementary material


  1. 1.
    Li, A., Yang, X., Kandula, S., Zhang, M.: Cloudcmp: comparing public cloud providers. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 1–14. ACM (2010)Google Scholar
  2. 2.
    Yau, S.S., Yin, Y.: Qos-based service ranking and selection for service-based systems. In: 2011 IEEE International Conference on Services Computing (SCC), pp. 56–63. IEEE (2011)Google Scholar
  3. 3.
    Luna, J., Ghani, H., Germanus, D., Suri, N.: A security metrics framework for the cloud. In: 2011 Proceedings of the International Conference on Security and Cryptography (SECRYPT), pp. 245–250. IEEE (2011)Google Scholar
  4. 4.
    Taha, A., Trapero, R., Luna, J., Suri, N.: Ahp-based quantitative approach for assessing and comparing cloud security. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 284–291. IEEE (2014)Google Scholar
  5. 5.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)CrossRefGoogle Scholar
  6. 6.
    Kalam, A.A.E., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, 2003, Proceedings, POLICY 2003, pp. 120–131. IEEE (2003)Google Scholar
  7. 7.
    Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: 2005 IEEE International Conference on Web Services, 2005, ICWS 2005, Proceedings. IEEE (2005)Google Scholar
  8. 8.
    Standard, O.: extensible access control markup language (xacml) version 2.0 (2005)Google Scholar
  9. 9.
    Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 1–10. ACM (2007)Google Scholar
  10. 10.
    Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing xacml policies. IEEE Trans. Knowl.Data Eng. 25(9), 1946–1959 (2013)CrossRefGoogle Scholar
  11. 11.
    Bei, W., Xing-yuan, C., Yong-fu, Z.: A policy rule dissimilarity evaluation approach based on fuzzy theory. In: International Conference on Computational Intelligence and Software Engineering, 2009, CiSE 2009, pp. 1–6. IEEE (2009)Google Scholar
  12. 12.
    Pham, Q., Reid, J., Dawson, E.: Policy filtering with xacml (2011)Google Scholar
  13. 13.
    Lin, D., Squicciarini, A.: Data protection models for service provisioning in the cloud. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 183–192. ACM (2010)Google Scholar
  14. 14.
    Cho, E., Ghinita, G., Bertino, E.: Privacy-preserving similarity measurement for access control policies. In: Proceedings of the 6th ACM Workshop on Digital Identity Management, pp. 3–12. ACM (2010)Google Scholar
  15. 15.
    Shaikh, R.A., Sasikumar, M.: Dynamic parameter for selecting a cloud service. In: 2014 International Conference on Computation of Power, Energy, Information and Communication (ICCPEIC), pp. 32–35. IEEE (2014)Google Scholar
  16. 16.
    Bertolino, A., Daoudagh, S., El Kateb, D., Henard, C., Le Traon, Y., Lonetti, F., Marchetti, E., Mouelhi, T., Papadakis, M.: Similarity testing for access control. Inf. Softw. Technol. 58, 355–372 (2015)CrossRefGoogle Scholar
  17. 17.
    Agrawal, D., Giles, J., Lee, K.W., Lobo, J.: Policy ratification. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, 2005, pp. 223–232. IEEE (2005)Google Scholar
  18. 18.
    Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: Exam: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9(4), 253–273 (2010)CrossRefGoogle Scholar
  19. 19.
    Jaccard, P.: Nouvelles recherches sur la distribution florale. Bulletin de la Société Vaudoise des Sciences Naturelles 44, 223–270 (1908)Google Scholar
  20. 20.
    Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the or-bac model and application in a network environment. In: Proceedings of the Foundations of Computer Security (FCS04), pp.41–60 (2004)Google Scholar
  21. 21.
  22. 22.
    Hachana, S., Cuppens-Boulahia, N., Cuppens, F.: Mining a high level access control policy in a network with multiple firewalls. J. Inf. Secur. Appl. 20, 61–73 (2015)Google Scholar
  23. 23.
    Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: Motorbac 2: a security policy tool. In: 3rd Conference on Security in Network Architectures and Information Systems (SAR-SSI 2008), Loctudy, France, pp.273–288 (2008)Google Scholar
  24. 24.
  25. 25.
    Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(1), 1–35 (2002)CrossRefGoogle Scholar
  26. 26.
    Bolze, R., Cappello, F., Caron, E., Daydé, M., Desprez, F., Jeannot, E., Jégou, Y., Lanteri, S., Leduc, J., Melab, N., et al.: Grid’5000: a large scale and highly reconfigurable experimental grid testbed. Int. J. High Perform. Comput. Appl. 20(4), 481–494 (2006)CrossRefGoogle Scholar
  27. 27.
    Li, Y., Cuppens-Boulahia, N., Crom, J.M., Cuppens, F., Frey, V.: Reaching agreement in security policy negotiation. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 98–105. IEEE (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Yanhuang Li
    • 1
    • 2
  • Nora Cuppens-Boulahia
    • 2
  • Jean-Michel Crom
    • 1
  • Frédéric Cuppens
    • 2
  • Vincent Frey
    • 1
  • Xiaoshu Ji
    • 1
  1. 1.Orange LabsCesson-SévignéFrance
  2. 2.Télécom BretagneCesson-SévignéFrance

Personalised recommendations