Skip to main content
Log in

Packet: a privacy-aware access control policy composition method for services composition in cloud environments

  • Research Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

Abstract

Combining different independent cloud services must coordinate their access control policies. Otherwise unauthorized access to composite cloud service can occur when there’s a conflict among different cloud service providers’ access control policies, and then it will bring serious data security and privacy issues. In this paper, we propose Packet, a novel access control policy composition method that can detect and resolve policy conflicts in cloud service composition, including those conflicts related to privacyaware purposes and conditions. The Packet method is divided into four steps. First, employing a unified description, heterogeneous policies are transformed into a unified attributebased format. Second, to improve the conflict detection efficiency, policy conflicts on the same resource can be eliminated by adopting cosine similarity-based algorithm. Third, exploiting a hierarchical structure approach, policy conflicts related to different resources or privacy-aware purposes and conditions can be detected. Fourth, different conflict resolution techniques are presented based on the corresponding conflict types. We have successfully implemented the Packet method in Openstack platform. Comprehensive experiments have been conducted, which demonstrate the effectiveness of the proposed method by the comparison with the existing XACML-based system at conflict detection and resolution performance.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Breiter G, Naik V K. A framework for controlling and managing hybrid cloud service integration. In: Proceedings of IEEE International Conference on Cloud Engineering. 2013, 217–224

    Google Scholar 

  2. Bonatti P, De Capitani di Vimercati S, Samarati P. An algebra for composing access control policies. ACM Transactions on Information and System Security, 2002, 5(1): 1–35

    Article  Google Scholar 

  3. Lin L, Huai J P, Li X X. Attribute-based access control policies composition algebra. Journal of Software, 2009, 20(2): 403–414

    Article  Google Scholar 

  4. Wijesekera D, Jajodia S. A propositional policy algebra for access control. ACM Transactions on Information and System Security, 2003, 6(2): 286–325

    Article  Google Scholar 

  5. Shu C C, Yang E Y, Arenas A E. Detecting conflicts in ABAC policies with rule-reduction and binary-search techniques. In: Proceedings of IEEE International Symposium on Policies for Distributed Systems and Networks. 2009, 182–185

    Google Scholar 

  6. Liu J, Zhang H Q, Dai X D, Wang Y G. A static ABAC policy conflict resolution algorithm. In: Proceedings of International Conference on Multimedia Information Networking and Security. 2012, 83–86

    Google Scholar 

  7. Zou J S, Zhang Y S. Research of policy conflict detection and resolution in ABAC. Journal of Computational Information Systems, 2014, 10(12): 5237–5244

    Google Scholar 

  8. Yan D F, Huang J L, Tian Y, Zhao Y, Yang F C. Policy conflict detection in composite web services with RBAC. In: Proceeding of IEEE International Conference on Web Services. 2014, 534–541

    Google Scholar 

  9. Yan D F, Tian Y. Privacy policy composition of privacy-aware RBAC model for composite web services. In: Proceedings of IEEE International Broadband Network and Multimedia Technology. 2013, 312–316

    Google Scholar 

  10. Kabir M E, Wang H. Conditional purpose based access control model for privacy protection. In: Proceedings of Australasian Database Conference. 2009, 135–142

    Google Scholar 

  11. Begum B A, Thakur R K, Patra P K. Security policy integration and conflict reconciliation for data integration across data sharing services in ubiquitous computing environments. In: Proceedings of IEEE International Conference on Computer and Communication Technology. 2010, 1–6

    Google Scholar 

  12. Yuan E, Tong J. Attributed based access control for web services. In: Proceedings of IEEE International Conference on Web Service. 2005, 561–569

    Google Scholar 

  13. Ahn G J, Hu H X, Lee J, Meng Y S. Representing and reasoning about Web access control policies. In: Proceedings of IEEE Conference on Computer Software and Applications. 2012, 137–146

    Google Scholar 

  14. Bryans J. Reasoning about XACML policies using CSP. In: Proceedings of Workshop on Secure Web Services. 2005, 28–35

    Google Scholar 

  15. Hughes G, Bultan T. Automated verification of access control policies. Journal on Software Tools for Technology Transfer, 2008, 6(10): 503–520

    Article  Google Scholar 

  16. Fisler K, Krishnamurthi S, Meyerovich L A, Tschantz M C. Verification and change-impact analysis of access control policies. In: Proceedings of International Conference on Software Engineering. 2005, 196–205

    Google Scholar 

  17. Kolovski V, Hendler J, Parsia B. Analyzing web access ontrol policies. In: Proceedings of the 16th International Conference on World Wide Web. 2007, 677–686

    Chapter  Google Scholar 

  18. Mazzoleni P, Crispo B, Sivasubramanian S, Bertino E. XACML policy integration algorithms. ACM Transactions on Information and System Security, 2008, 11(1): 1–23

    Article  Google Scholar 

  19. Rath A, Colin J N. Modeling and expressing purpose validation policy for privacy-aware usage control in distributed environment. In: Proceedings of the 8th ACM International Conference on Ubiquitous Information Management and Communication. 2014, 104–111

    Google Scholar 

  20. Madylova A, Oguducu S G. A taxonomy based semantic similarity of documents using the cosine measure. In: Proceeding of International Symposium on Computer and Information Sciences. 2009, 129–134

    Google Scholar 

  21. Fan BB, Liang X Y, Luo Y, Bo Y, Xia CH. Conflict detection model of access control policy in collaborative environment. In: Proceedings of International Conference on Computational and Information sciences. 2011, 377–381

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Li Lin.

Additional information

Li Lin is a lecturer and master tutor at College of Computer Science, Beijing University of Technology, China. She received her PhD degree in computer science from Beihang University, China in 2009 and her master degree in basic mathematics from Guangxi Normal University, China in 2004. Her current research interests include cloud computing and information security.

Jian Hu is currently pursuing the master degree in computer science from Beijing University of Technology, China. He received his bachelor degree in computer science from the South-Central University for Nationalities, China in 2013. His current research interests include access control middleware development in cloud computing platforms, access control policy composition for cloud service composition.

Jianbiao Zhang received the BS, MS, and PhD degrees from the Northwestern Polytechnic University, China in 1992, 1995, and 1999 respectively. From 1999 to 2001, he was a postdoctoral fellow in Beihang University, China. Now he is a professor and PhD supervisor in College of Computer Science, Beijing University of Technology, China. His research interests include network and information security, trusted computing.

Electronic supplementary material

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Lin, L., Hu, J. & Zhang, J. Packet: a privacy-aware access control policy composition method for services composition in cloud environments. Front. Comput. Sci. 10, 1142–1157 (2016). https://doi.org/10.1007/s11704-016-5503-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11704-016-5503-9

Keywords

Navigation