Skip to main content
SpringerLink
Log in

Similarity Measure for Security Policies in Service Provider Selection

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9478))

Included in the following conference series:

Abstract

The interaction between different applications and services requires expressing their security properties. This is typically defined as security policies, which aim at specifying the diverse privileges of different actors. Today similarity measure for comparing security policies becomes a crucial technique in a variety of scenarios, such as finding the cloud service providers which satisfy client’s security concerns. Existing approaches cover from semantic to numerical dimensions and the main work focuses mainly on XACML policies. However, few efforts have been made to extend the measure approach to multiple policy models and apply it to concrete scenarios. In this paper, we propose a generic and light-weight method to compare and evaluate security policies belonging to different models. Our technique enables client to quickly locate service providers with potentially similar policies. Comparing with other works, our approach takes policy elements’ logic relationships into account and the experiment and implementation demonstrate the efficiency and accuracy of our approach.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We suppose that SPs in a cloud federation share the same domain and two SPs in the same domain can be composed as a virtual SP.

References

  1. Li, A., Yang, X., Kandula, S., Zhang, M.: Cloudcmp: comparing public cloud providers. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 1–14. ACM (2010)

    Google Scholar 

  2. Yau, S.S., Yin, Y.: Qos-based service ranking and selection for service-based systems. In: 2011 IEEE International Conference on Services Computing (SCC), pp. 56–63. IEEE (2011)

    Google Scholar 

  3. Luna, J., Ghani, H., Germanus, D., Suri, N.: A security metrics framework for the cloud. In: 2011 Proceedings of the International Conference on Security and Cryptography (SECRYPT), pp. 245–250. IEEE (2011)

    Google Scholar 

  4. Taha, A., Trapero, R., Luna, J., Suri, N.: Ahp-based quantitative approach for assessing and comparing cloud security. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 284–291. IEEE (2014)

    Google Scholar 

  5. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)

    Article  Google Scholar 

  6. Kalam, A.A.E., Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miege, A., Saurel, C., Trouessin, G.: Organization based access control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks, 2003, Proceedings, POLICY 2003, pp. 120–131. IEEE (2003)

    Google Scholar 

  7. Yuan, E., Tong, J.: Attributed based access control (abac) for web services. In: 2005 IEEE International Conference on Web Services, 2005, ICWS 2005, Proceedings. IEEE (2005)

    Google Scholar 

  8. Standard, O.: extensible access control markup language (xacml) version 2.0 (2005)

    Google Scholar 

  9. Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, pp. 1–10. ACM (2007)

    Google Scholar 

  10. Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing xacml policies. IEEE Trans. Knowl.Data Eng. 25(9), 1946–1959 (2013)

    Article  Google Scholar 

  11. Bei, W., Xing-yuan, C., Yong-fu, Z.: A policy rule dissimilarity evaluation approach based on fuzzy theory. In: International Conference on Computational Intelligence and Software Engineering, 2009, CiSE 2009, pp. 1–6. IEEE (2009)

    Google Scholar 

  12. Pham, Q., Reid, J., Dawson, E.: Policy filtering with xacml (2011)

    Google Scholar 

  13. Lin, D., Squicciarini, A.: Data protection models for service provisioning in the cloud. In: Proceedings of the 15th ACM Symposium on Access Control Models and Technologies, pp. 183–192. ACM (2010)

    Google Scholar 

  14. Cho, E., Ghinita, G., Bertino, E.: Privacy-preserving similarity measurement for access control policies. In: Proceedings of the 6th ACM Workshop on Digital Identity Management, pp. 3–12. ACM (2010)

    Google Scholar 

  15. Shaikh, R.A., Sasikumar, M.: Dynamic parameter for selecting a cloud service. In: 2014 International Conference on Computation of Power, Energy, Information and Communication (ICCPEIC), pp. 32–35. IEEE (2014)

    Google Scholar 

  16. Bertolino, A., Daoudagh, S., El Kateb, D., Henard, C., Le Traon, Y., Lonetti, F., Marchetti, E., Mouelhi, T., Papadakis, M.: Similarity testing for access control. Inf. Softw. Technol. 58, 355–372 (2015)

    Article  Google Scholar 

  17. Agrawal, D., Giles, J., Lee, K.W., Lobo, J.: Policy ratification. In: Sixth IEEE International Workshop on Policies for Distributed Systems and Networks, 2005, pp. 223–232. IEEE (2005)

    Google Scholar 

  18. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: Exam: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Secur. 9(4), 253–273 (2010)

    Article  Google Scholar 

  19. Jaccard, P.: Nouvelles recherches sur la distribution florale. Bulletin de la Société Vaudoise des Sciences Naturelles 44, 223–270 (1908)

    Google Scholar 

  20. Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the or-bac model and application in a network environment. In: Proceedings of the Foundations of Computer Security (FCS04), pp.41–60 (2004)

    Google Scholar 

  21. http://docs.openstack.org/developer/keystone/configuration.html

  22. Hachana, S., Cuppens-Boulahia, N., Cuppens, F.: Mining a high level access control policy in a network with multiple firewalls. J. Inf. Secur. Appl. 20, 61–73 (2015)

    Google Scholar 

  23. Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: Motorbac 2: a security policy tool. In: 3rd Conference on Security in Network Architectures and Information Systems (SAR-SSI 2008), Loctudy, France, pp.273–288 (2008)

    Google Scholar 

  24. http://www.supercloud-project.eu

  25. Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Trans. Inf. Syst. Secur. (TISSEC) 5(1), 1–35 (2002)

    Article  Google Scholar 

  26. Bolze, R., Cappello, F., Caron, E., Daydé, M., Desprez, F., Jeannot, E., Jégou, Y., Lanteri, S., Leduc, J., Melab, N., et al.: Grid’5000: a large scale and highly reconfigurable experimental grid testbed. Int. J. High Perform. Comput. Appl. 20(4), 481–494 (2006)

    Article  Google Scholar 

  27. Li, Y., Cuppens-Boulahia, N., Crom, J.M., Cuppens, F., Frey, V.: Reaching agreement in security policy negotiation. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 98–105. IEEE (2014)

    Google Scholar 

Download references

Acknowledgments

The work reported in this paper has been supported by ANRT (Association Nationale de la Recherche et de la Technologie) and Orange as CIFRE (Conventions Industrielles de Formation par la REcherche) thesis and the work of Nora Cuppens-Boulahia and Frédéric Cuppens has been partially carried out in the SUPERCLOUD project, funded by the European Union’s Horizon 2020 research and innovation programme under grant agreement No 643964.

Author information

Authors and Affiliations

  1. Orange Labs, 4 Rue du Clos Courtel, 35510, Cesson-Sévigné, France

    Yanhuang Li, Jean-Michel Crom, Vincent Frey & Xiaoshu Ji

  2. Télécom Bretagne, 2 Rue de la Châtaigneraie, 35510, Cesson-Sévigné, France

    Yanhuang Li, Nora Cuppens-Boulahia & Frédéric Cuppens

Authors
  1. Yanhuang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nora Cuppens-Boulahia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jean-Michel Crom
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Frédéric Cuppens
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Vincent Frey
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Xiaoshu Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yanhuang Li .

Editor information

Editors and Affiliations

  1. Center for Secure Information Systems, Fairfax, Virginia, USA

    Sushil Jajoda

  2. Jadavpur University, Kolkata, India

    Chandan Mazumdar

Appendices

Appendix

A Brute-force based test for existing work

Figure 10 shows the brute-force test result of policy similarity score by using the same test environment illustrated in Sect. 4. The y-axis represents the PSM score computed by the algorithm proposed in [10]; the x-axis shows the test result of policy similarity defined by Eq. (7) [10], where Sreq denotes the set of the requests with the same decisions from \(p_1\) and \(p_2\) and Req is the set of the requests applicable to either \(p_1\) or \(p_2\):

$$\begin{aligned} \begin{aligned} S_{policy}(p_1,p_2)={|Sreq|}/{|Req|} \end{aligned} \end{aligned}$$
(7)

We remark that the similarity score computed does not approximate to the test result. The main reason is that, firstly, as a brute-force based test method, our input requests are more exhaustive than ones generated by other test tools such as MTBDD [18]. Secondly, the PSM algorithm defined in [10] focuses only on the literal level but not logic aspect of security policy. As a result, two security rules sharing the majority of common elements are considered to hold a higher similarity score. However, the rest of elements may cause totally different decisions which indicates that the two rules are not similar in terms of output.

Fig. 10.
figure 10

Experiment of similarity score (set-4).

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Li, Y., Cuppens-Boulahia, N., Crom, JM., Cuppens, F., Frey, V., Ji, X. (2015). Similarity Measure for Security Policies in Service Provider Selection. In: Jajoda, S., Mazumdar, C. (eds) Information Systems Security. ICISS 2015. Lecture Notes in Computer Science(), vol 9478. Springer, Cham. https://doi.org/10.1007/978-3-319-26961-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-26961-0_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-26960-3

  • Online ISBN: 978-3-319-26961-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation