Loading…
Decision Diagrams for XACML Policy Evaluation and Management
One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use...
Saved in:
| Published in: | Computers & security 2015-03, Vol.49, p.1-16 |
|---|---|
| Main Authors: | , , |
| Format: | Article |
| Language: | English |
| Subjects: | |
| Citations: | Items that this one cites Items that cite this one |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| cited_by | cdi_FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923 |
|---|---|
| cites | cdi_FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923 |
| container_end_page | 16 |
| container_issue | |
| container_start_page | 1 |
| container_title | Computers & security |
| container_volume | 49 |
| creator | Ngo, Canh Demchenko, Yuri de Laat, Cees |
| description | One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries. |
| doi_str_mv | 10.1016/j.cose.2014.11.003 |
| format | article |
| fullrecord | <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_1658776337</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404814001655</els_id><sourcerecordid>3607644711</sourcerecordid><originalsourceid>FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923</originalsourceid><addsrcrecordid>eNp9kE1LAzEQhoMoWKt_wNOC510z-5UEein9UKFFDwreQpqdlCztpibbQv-9WerZy8zled8ZHkIegWZAoX5uM-0CZjmFMgPIKC2uyAg4y9M6p_yajCLE0pKW_JbchdBSCqzmfEQmc9Q2WNclc6u2Xu1DYpxPvqez9Sr5cDurz8nipHZH1Q-Q6ppkrTq1xT12_T25MWoX8OFvj8nXcvE5e01X7y9vs-kq1UXO-1TUgrGaGTAlhxz1hmslNG0qhkbEWZQbXhomsKoMQzQ6_lk0IFAZg0LkxZg8XXoP3v0cMfSydUffxZMS6orH8qJgkcovlPYuBI9GHrzdK3-WQOVgSbZysCQHSxJARksxNLmEMP5_suhl0BY7jY31qHvZOPtf_BeG9m9Z</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1658776337</pqid></control><display><type>article</type><title>Decision Diagrams for XACML Policy Evaluation and Management</title><source>Elsevier:Jisc Collections:Elsevier Read and Publish Agreement 2022-2024:Freedom Collection (Reading list)</source><creator>Ngo, Canh ; Demchenko, Yuri ; de Laat, Cees</creator><creatorcontrib>Ngo, Canh ; Demchenko, Yuri ; de Laat, Cees</creatorcontrib><description>One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2014.11.003</identifier><identifier>CODEN: CPSEDU</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Access control ; Authorization ; Decision diagram ; Decision making models ; Diagrams ; Extensible Markup Language ; Interval partition processing ; Policy evaluation ; Semantics ; Studies ; XACML</subject><ispartof>Computers & security, 2015-03, Vol.49, p.1-16</ispartof><rights>2014 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. Mar 2015</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923</citedby><cites>FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27924,27925</link.rule.ids></links><search><creatorcontrib>Ngo, Canh</creatorcontrib><creatorcontrib>Demchenko, Yuri</creatorcontrib><creatorcontrib>de Laat, Cees</creatorcontrib><title>Decision Diagrams for XACML Policy Evaluation and Management</title><title>Computers & security</title><description>One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.</description><subject>Access control</subject><subject>Authorization</subject><subject>Decision diagram</subject><subject>Decision making models</subject><subject>Diagrams</subject><subject>Extensible Markup Language</subject><subject>Interval partition processing</subject><subject>Policy evaluation</subject><subject>Semantics</subject><subject>Studies</subject><subject>XACML</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2015</creationdate><recordtype>article</recordtype><recordid>eNp9kE1LAzEQhoMoWKt_wNOC510z-5UEein9UKFFDwreQpqdlCztpibbQv-9WerZy8zled8ZHkIegWZAoX5uM-0CZjmFMgPIKC2uyAg4y9M6p_yajCLE0pKW_JbchdBSCqzmfEQmc9Q2WNclc6u2Xu1DYpxPvqez9Sr5cDurz8nipHZH1Q-Q6ppkrTq1xT12_T25MWoX8OFvj8nXcvE5e01X7y9vs-kq1UXO-1TUgrGaGTAlhxz1hmslNG0qhkbEWZQbXhomsKoMQzQ6_lk0IFAZg0LkxZg8XXoP3v0cMfSydUffxZMS6orH8qJgkcovlPYuBI9GHrzdK3-WQOVgSbZysCQHSxJARksxNLmEMP5_suhl0BY7jY31qHvZOPtf_BeG9m9Z</recordid><startdate>20150301</startdate><enddate>20150301</enddate><creator>Ngo, Canh</creator><creator>Demchenko, Yuri</creator><creator>de Laat, Cees</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>20150301</creationdate><title>Decision Diagrams for XACML Policy Evaluation and Management</title><author>Ngo, Canh ; Demchenko, Yuri ; de Laat, Cees</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2015</creationdate><topic>Access control</topic><topic>Authorization</topic><topic>Decision diagram</topic><topic>Decision making models</topic><topic>Diagrams</topic><topic>Extensible Markup Language</topic><topic>Interval partition processing</topic><topic>Policy evaluation</topic><topic>Semantics</topic><topic>Studies</topic><topic>XACML</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Ngo, Canh</creatorcontrib><creatorcontrib>Demchenko, Yuri</creatorcontrib><creatorcontrib>de Laat, Cees</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers & security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Ngo, Canh</au><au>Demchenko, Yuri</au><au>de Laat, Cees</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Decision Diagrams for XACML Policy Evaluation and Management</atitle><jtitle>Computers & security</jtitle><date>2015-03-01</date><risdate>2015</risdate><volume>49</volume><spage>1</spage><epage>16</epage><pages>1-16</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><coden>CPSEDU</coden><abstract>One of the primary challenges to apply the XACML access control policy language in applications is the performance problem of policy evaluation engines, particularly when they experience a great number of policies. Some existing works attempted to solve this problem, but only for some particular use-cases: either supporting simple policies with equality comparisons or predefined attribute values. Due to the lack of carefully checking the XACML model, they did not have original policy evaluation semantics. Therefore, they cannot handle errors containing indeterminate decisions, or ignore the critical attribute setting that leads to potential missing attribute attacks. In this paper, we build up the XACML logical model and propose a decision diagram approach using the data interval partition aggregation. It can parse and transform complex logical expressions in policies into decision tree structures, which efficiently improve the policy evaluation performance. Our approach can also be applied to solve other policy management problems such as policy redundancy detection, policy testings and comparisons, or authorization reverse queries.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2014.11.003</doi><tpages>16</tpages></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0167-4048 |
| ispartof | Computers & security, 2015-03, Vol.49, p.1-16 |
| issn | 0167-4048 1872-6208 |
| language | eng |
| recordid | cdi_proquest_journals_1658776337 |
| source | Elsevier:Jisc Collections:Elsevier Read and Publish Agreement 2022-2024:Freedom Collection (Reading list) |
| subjects | Access control Authorization Decision diagram Decision making models Diagrams Extensible Markup Language Interval partition processing Policy evaluation Semantics Studies XACML |
| title | Decision Diagrams for XACML Policy Evaluation and Management |
| url | http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T21%3A37%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Decision%20Diagrams%20for%20XACML%20Policy%20Evaluation%20and%20Management&rft.jtitle=Computers%20&%20security&rft.au=Ngo,%20Canh&rft.date=2015-03-01&rft.volume=49&rft.spage=1&rft.epage=16&rft.pages=1-16&rft.issn=0167-4048&rft.eissn=1872-6208&rft.coden=CPSEDU&rft_id=info:doi/10.1016/j.cose.2014.11.003&rft_dat=%3Cproquest_cross%3E3607644711%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c328t-9697767f1f4812ecb8ca9c0d57ef9d5734b84f79e55f7eefc4043d19eaffe9923%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=1658776337&rft_id=info:pmid/&rfr_iscdi=true |