This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation
October-December 2011 (vol. 4 no. 4)
pp. 300-313
Said Marouf, University of North Carolina at Charlotte, Charlotte
Mohamed Shehab, University of North Carolina at Charlotte, Charlotte
Anna Squicciarini, Pennsylvania State University, College Park
Smitha Sundareswaran, Pennsylvania State University, College Park
The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. This calls for high performance XACML policy evaluation engines. A policy evaluation engine can easily become a bottleneck when enforcing XACML policies with a large number of rules. In this paper we propose an adaptive approach for XACML policy optimization. We apply a clustering technique to policy sets based on the K-means algorithm. In addition to clustering we find that, since a policy set has a variable number of policies and a policy has a variable number of rules, their ordering is important for efficient execution. By clustering policy sets and reordering policies and rules in a policy set and policies respectively, we formulated and solved the optimal policy execution problem. The proposed clustering technique categorizes policies and rules within a policy set and policy respectively in respect to target subjects. When a request is received, it is redirected to applicable policies and rules that correspond to its subjects; hence, avoiding unnecessary evaluations from occurring. We also propose a usage based framework that computes access request statistics to dynamically optimize the ordering access control to policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than standard Sun PDP.

[1] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, "Packet Classifiers in Ternary CAMs Can Be Smaller," SIGMETRICS Performance Evaluation Rev., vol. 34, no. 1, pp. 311-322, 2006.
[2] D. el Diehn, I. Abou-Tair, S. Berlik, and U. Kelter, "Enforcing Privacy by Means of an Ontology Driven XACML Framework," Proc. Third Int'l Symp. Information Assurance and Security (IAS '07), pp. 279-284, 2007.
[3] Facebook, http:/www.facebook.com, 2007.
[4] K. Fisler, S. Krishnamurthi, L.A. Meyerovich, and M.C. Tschantz, "Verification and Change-Impact Analysis of Access-Control Policies," Proc. 27th Int'l Conf. Software Eng. (ICSE '05), pp. 196-205, 2005.
[5] H. Hamed and E. Al-Shaer, "Dynamic Rule-Ordering Optimization for High-Speed Firewall Filtering," Proc. ACM Symp. Information, Computer and Comm. Security, pp. 332-342, 2006.
[6] H. Hamed, A. El-Atawy, and E. Al-Shaer, "Adaptive Statistical Optimization Techniques for Firewall Packet Filtering," Proc. 25th IEEE INFOCOM, pp. 1-12, Apr. 2006.
[7] G. Hughes and T. Bultan, "Automated Verification of XACML Policies Using a SAT Solver," Proc. Workshop Web Quality, Verification and Validation (WQVV '07), pp. 378-392, 2007.
[8] V. Kolovski and J. Hendler, "XACML Policy Analysis Using Description Logics," submitted to J. Computer Security, http://www.mindswap.org/~kolovskiKolovskiXACMLAnalysisJCS Submission.pdf , 2008.
[9] V. Kolovski, J. Hendler, and B. Parsia, "Analyzing Web Access Control Policies," Proc. 16th Int'l Conf. World Wide Web (WWW '07), pp. 677-686, 2007.
[10] D. Lin, P. Rao, E. Bertino, and J. Lobo, "An Approach to Evaluate Policy Similarity," Proc. 12th ACM Symp. Access Control Models and Technologies (SACMAT '07), pp. 1-10, 2007.
[11] A.X. Liu, F. Chen, J. Hwang, and T. Xie, "XEngine: A Fast and Scalable XACML Policy Evaluation Engine," Proc. ACM SIGMETRICS Int'l Conf. Measurement and Modeling of Computer Systems, pp. 265-276, 2008.
[12] E. Martin, T. Xie, and T. Yu, "Defining and Measuring Policy Coverage in Testing Access Control Policies," Proc. Eighth Int'l Conf. Information and Comm. Security, pp. 139-158, 2006.
[13] P. Mazzoleni, B. Crispo, S. Sivasubramanian, and E. Bertino, "XACML Policy Integration Algorithms," ACM Trans. Information and System Security, vol. 11, no. 1, Feb. 2008.
[14] P.L. Miseldine, "Automated XACML Policy Reconfiguration for Evaluation Optimisation," Proc. Fourth Int'l Workshop Software Eng. for Secure Systems, pp. 1-8, 2008.
[15] T. Moses, "Extensible Access Control Markup Language (XACML)," technical report, OASIS, 2003.
[16] MySpace, http:/www.myspace.com, 2007.
[17] R. Rivest, "On Self-Organizing Sequential Search Heuristics," Comm. ACM, vol. 19, no. 2, pp. 63-67, 1976.
[18] S. Rizvi, A. Mendelzon, S. Sudarshan, and P. Roy, "Extending Query Rewriting Techniques for Fine-Grained Access Control," Proc. Int'l Conf. Management of Data, pp. 551-562, 2004.
[19] "Sun's XACML Implementation Programmer's Guide," http://sunxacml.sourceforge.netguide.html , 2004.
[20] I.H. Witten and E. Frank, Data Mining: Practical Machine Learning Tools and Techniques, second ed., 2005.

Index Terms:
Policy evaluation, policy categorization, XACML.
Citation:
Said Marouf, Mohamed Shehab, Anna Squicciarini, Smitha Sundareswaran, "Adaptive Reordering and Clustering-Based Framework for Efficient XACML Policy Evaluation," IEEE Transactions on Services Computing, vol. 4, no. 4, pp. 300-313, Oct.-Dec. 2011, doi:10.1109/TSC.2010.28
Usage of this product signifies your acceptance of the Terms of Use.