Abstract
XACML standard defines a declarative language to determine access control policies which are critical for deploying security solutions. It is important to evaluate the performance of policies defined by XACML, for applications such as policy enforcement efficiency, policy refinement, anomaly detection, conflict resolution, and policy similarity assessment. Due to security and confidentiality reasons, at hands policy sets for such evaluations are very rare. Moreover, these policy sets are created gradually, thus access to large and effective policy sets in a short time is challenging and daunting task. In this paper, we present XACBench, a suite of tools for both generating synthetic XACML policies and benchmarking the policy evaluation algorithms. To this end, XACBench first extracts, models and generalizes some statistical properties of an input policy which is called policy profile. Such profile helps generating policies in a way that accurately simulates the statistic properties of the input policy. XACBench then generates synthetic policies of any desired length based on the profile. It also provides a simple mechanism for controlling the correlation between the generated policies and the input policy with respect to the extracted policy profile. Experimental results demonstrate that our approach is efficient and scalable to various policy lengths as well as input policies.
Similar content being viewed by others
Notes
In this paper, the term policy refers to a security policy specified by XACML. Also terms “policy”, “security policy” and “XACML policy” are used interchangeably.
By n-policy set policy sets, we mean policy sets that each contains n policy sets.
It is to be noted that we can use various statistical distributions for policy generation. In other words, our approach is not limited to use the normal distribution.
The XACBench tool is accessible via https://github.com/nassirim/xacBench.
References
Ahn G-J, Hu H, Lee J, Meng Y (2010) Representing and reasoning about web access control policies. In: 2010 IEEE 34th annual computer software and applications conference. IEEE, pp 137–146
Arlitt M, Marwah M, Bellala G, Shah A, Healey J, Vandiver B (2015) IoTAbench: an internet of things analytics benchmark. In: Proceedings of the 6th ACM/SPEC international conference on performance engineering. ACM, pp 133–144
AU2EU (2015) Authentication and authorisation for entrusted unions. http://www.au2eu.eu/
Ayed D, Lepareux M-N, Martins C (2015) Analysis of XACML policies with ASP. In: 2015 7th international conference on new technologies, mobility and security (NTMS). IEEE, pp 1–5
Butler B, Jennings B (2015) Measurement and prediction of access control policy evaluation performance. IEEE Trans Netw Serv Manag 12(4):526–539
Butler B, Jennings B, Botvich D (2011) An experimental testbed to predict the performance of XACML policy decision points. In: 2011 IFIP/IEEE international symposium on integrated network management (IM). IEEE, pp 353–360
del Carmen Rodríguez-Hernández M, Ilarri S, Hermoso R, Trillo-Lado R (2017) DataGenCARS: a generator of synthetic data for the evaluation of context-aware recommendation systems. Pervasive Mob Comput 38:516–541
Deng W, Zhao H, Zou L, Li G, Yang X, Daqing W (2017) A novel collaborative optimization algorithm in solving complex optimization problems. Soft Comput 21(15):4387–4398
Deng F, Wang S, Zhang L, Wei X, Yu J (2018) Establishment of attribute bitmaps for efficient XACML policy evaluation. Knowl Based Syst 143:93–101
Deng F, Lu J, Wang S-Y, Pan J, Zhang L-Y (2019) A distributed PDP model based on spectral clustering for improving evaluation performance. World Wide Web 22(4):1555–1576
Fisler K, Krishnamurthi S, Meyerovich LA, Tschantz MC (2005) Verification and change-impact analysis of access-control policies. In: Proceedings of the 27th international conference on software engineering. ACM, pp 196–205
Ghazal A, Rabl T, Hu M, Raab F, Poess M, Crolotte A, Jacobsen H-A (2013) BigBench: towards an industry standard benchmark for big data analytics. In: Proceedings of the 2013 ACM SIGMOD international conference on management of data. ACM, pp 1197–1208
Hoag Joseph E, Thompson Craig W (2009) A parallel general-purpose synthetic data generator1. In: Data engineering. Springer, pp 103–117
Hongxin H, Ahn G-J, Kulkarni K (2013) Discovery and resolution of anomalies in web access control policies. IEEE Trans Dependable Secure Comput 10(6):341–354
Jebbaoui H, Mourad A, Otrok H, Haraty R (2015) Semantics-based approach for detecting flaws, conflicts and redundancies in XACML policies. Comput Electr Eng 44:91–103
Kanwal T, Jabbar AA, Anjum A, Malik SUR, Khan A, Ahmad N, Manzoor U, Shahzad MN, Balubaid MA (2019) Privacy-aware relationship semantics-based XACML access control model for electronic health records in hybrid cloud. Int J Distrib Sens Netw 15(6):1550147719846050
Kolovski V, Hendler J, Parsia B (2007) Analyzing web access control policies. In: Proceedings of the 16th international conference on world wide web. ACM, pp 677–686
Lee J, Wang Y, Zhang Y (2015) Automated reasoning about XACML 3.0 delegation using answer set programming. In: CEUR workshop proceedings, volume 1433. CEUR-WS
Lin PJ, Samadi B, Cipolone A, Jeske DR, Cox S, Rendon C, Holt D, Xiao R (2006) Development of a synthetic data set generator for building and testing information discovery systems. In: Third international conference on information technology: new generations, 2006, ITNG 2006. IEEE, pp 707–712
Liu AX, Chen F, Hwang JH, Xie T (2008) XEngine: a fast and scalable XACML policy evaluation engine. In: ACM SIGMETRICS performance evaluation review, volume 36. ACM, pp 265–276
Margheri A, Masi M, Pugliese R, Tiezzi F (2017) A rigorous framework for specification, analysis and enforcement of access control policies. IEEE Trans Softw Eng 45(1):2–33
Mejri M, Yahyaoui H (2017) Formal specification and integration of distributed security policies. Comput Lang Syst Struct 49:1–35
Ngo C, Demchenko Y, de Laat C (2015) Decision diagrams for XACML policy evaluation and management. Comput Secur 49:1–16
OASIS (2013) Extensible access control markup language (XACML) version 3.0. http://www.oasisopen.org/committees/xacml/
Pina Ros S, Lischka M, Gómez Mármol F (2012) Graph-based XACML evaluation. In: Proceedings of the 17th ACM symposium on access control models and technologies, SACMAT ’12. pp 83–92
Rabl T, Danisch M, Frank M, Schindler S, Jacobsen H-A (2015) Just can’t get enough: synthesizing big data. In: Proceedings of the 2015 ACM SIGMOD international conference on management of data. ACM, pp 1457–1462
Rabl T, Frank M, Sergieh HM, Kosch H (2010) A data generator for cloud-scale benchmarking. In: Technology conference on performance evaluation and benchmarking. Springer, pp 41–56
Ramli CDPK (2015) Detecting incompleteness, conflicting and unreachability XACML policies using answer set programming. CoRR. arXiv:1503.02732
Rezvani M, Rajaratnam D, Ignjatovic A, Pagnucco M, Jha S (2018) Analyzing XACML policies using answer set programming. Int J Inf Secur 18:465–479
Shamoon I, Rajpoot Q, Shibli A (2012) Policy conflict management using XACML. In: 2012 8th international conference on computing and networking technology (ICCNT). IEEE, pp 287–291
SNE-XACML (2016) A high performance XACML PDP engine. https://github.com/canhnt/sne-xacml
Sun PJ (2017) XACML policy evaluation optimization research based on attribute weighted clustering and statistics reordering. In: 2017 IEEE international conference on information and automation (ICIA). IEEE, pp 1190–1195
Taylor DE, Turner JS (2007) ClassBench: A packet classification benchmark. IEEE/ACM Trans Netw (TON) 15(3):499–511
Turkmen F, Demchenko Y (2016) On the use of SMT solving for XACML policy evaluation. In: 2016 IEEE international conference on cloud computing technology and science (CloudCom). IEEE, pp 539–544
Funding
This research has not been funded by any academic or industrial grant.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
All authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Communicated by V. Loia.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The XACBench tools are publicly available at the following site: https://github.com/nassirim/xacBench.
Rights and permissions
About this article
Cite this article
Ahmadi, S., Nassiri, M. & Rezvani, M. XACBench: a XACML policy benchmark. Soft Comput 24, 16081–16096 (2020). https://doi.org/10.1007/s00500-020-04925-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-020-04925-5