A comprehensive approach to the automatic refinement and verification of access control policies

Access control is one of the building blocks of network security and is often managed by network administrators through the definition of sets of high-level policies meant to regulate network behavior (policy-based management). In this scenario, policy refinement and verification are important proce...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2019-01, Vol.80, p.186-199
Main Authors: Cheminod, Manuel, Durante, Luca, Seno, Lucia, Valenza, Fulvio, Valenzano, Adriano
Format: Article
Language:English
Subjects:
Access control
Anomalies
Automatic control
Complexity
Configurations
Cybersecurity
Network security
Policy refinement
Policy verification
Policy-based network management
Relaying
Software
Software development tools
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Access control is one of the building blocks of network security and is often managed by network administrators through the definition of sets of high-level policies meant to regulate network behavior (policy-based management). In this scenario, policy refinement and verification are important processes that have to be dealt with carefully, possibly relaying on computer-aided automated software tools. This paper presents a comprehensive approach for access control policy refinement, verification and, in case errors are detected in the policy implementation, their fixing. The proposed methodology is based on a twofold model able to describe both policies and system configurations and allows, by suitably processing the model, to either propose a system configuration that correctly enforces the policies, or determine whether a specific implementation matches the policy specification also providing hints on how possible anomalies can be fixed. Results on the average complexity of the solution confirm its feasibility in terms of computation time, even for complex networked systems consisting of several hundred nodes.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2018.09.013