Skip to main content
SpringerLink
Log in

XACSim: a new tool for measuring similarity of XACML security policies

  • Published:
Cluster Computing Aims and scope Submit manuscript

Abstract

XACML is a standard to define a declarative fine-grained, attribute-based access control security policy language. Evaluation of the similarity of XACML policies can be used for a variety of purposes such as clustering rules, merging policies, analysing anomalies in rules, selecting high-speed web servers, and finding collaborators with similar security settings. Existing approaches for calculating the similarity between security policies are primarily designed based on the XACML 2.0 version, and are insufficient for complicated policies can be specified in XACML 3.0. In this paper, we propose a hierarchical approach, called XACSim, to assess the similarity of security policies specified by XACML 3.0. XACSim takes into account the distance of both numerical and nominal values for computing the similarity. More precisely, the distance is hierarchically computed by the aggregate of the distance values at four different levels namely, value, attribute, rule, and policy. For nominal attributes, the similarity is calculated based on their context and using distribution of their values in the input dataset. While, for numerical attributes, intersection intervals of their corresponding values are estimated to compute the similarity. We present an empirical evaluation of the effectiveness and efficiency of XACSim. The evaluation results show that our approach provides promising efficiency while it outperforms the effectiveness of the state of the art methods. (The XACSim tools are publicly available at https://gitlab.com/nassirim/XACSim.)

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Data availability

The data that support the findings of this study are available from the corresponding author upon reasonable request.

Notes

  1. The source code is publicly available at https://gitlab.com/nassirim/XACSim. The developed tool is executed as a JAR file in a Java virtual machine.

  2. https://jaxb.java.net/

  3. XACBecnh is a toolset developed in our research laboratory at Bu-Ali Sina University, accessible via https://github.com/nassirim/xacBench.

References

  1. Parducci, B., Lockhart, H., Rissanen, E.: Extensible access control markup language (XACML) version 3.0, pp. 1–154. OASIS Standard (2013)

  2. Edirisinghe, M.M.: An efficient and scalable access reviw evaluation model for XACML: a subject-object graph based approach. Master’s thesis, University of Moratuwa, Sri Lanka (2017)

  3. Griffin, L., Butler, B., de Leastar, E., Jennings, B., Botvich, D.: On the performance of access control policy evaluation. In: 2012 IEEE International Symposium on Policies for Distributed Systems and Networks, pp. 25–32. IEEE (2012)

  4. Duan, L., Zhang, Y., Chen, S., Zhao, S., Wang, S., Liu, D., Cheng, B., Chen, J., Liu, R.P.: Automated policy combination for secure data sharing in cross organizational collaborations. IEEE Access 4, 3454–3468 (2016)

    Article  Google Scholar 

  5. Vaidya, J., Shafiq, B., Atluri, V., Lorenzi, D.: A framework for policy similarity evaluation and migration based on change detection. In: International Conference on Network and System Security, pp. 191–205. Springer, Cham (2015)

  6. Li, Y., Cuppens-Boulahia, N., Crom, J.-M., Cuppens, F., Frey, V., Ji, X.: Similarity measure for security policies in service provider selection. In: International Conference on Information Systems Security, pp. 227–242. Springer, Cham (2015)

  7. Erradi, M.: ABAC rule reduction via similarity computation. In: Networked Systems: 5th International Conference, NETYS 2017, Marrakech, Morocco, 17–19 May 2017, Proceedings, vol. 10299, p. 86. Springer, Cham (2017)

  8. Yu, L., Liu, H.: Feature selection for high-dimensional data: a fast correlation-based filter solution. In Proceedings of the 20th International Conference on Machine Learning (ICML-03), pp. 856–863 (2003)

  9. Hongxin, H., Ahn, G.-J., Kulkarni, K.: Discovery and resolution of anomalies in web access control policies. IEEE Trans. Depend. Secure Comput. 10(6), 341–354 (2013)

    Article  Google Scholar 

  10. Liu, T., Wang, Y.: Beyond scale: an efficient framework for evaluating web access control policies in the era of big data. In: International Workshop on Security, pp. 316–334. Springer, Heidelberg (2015)

  11. Bertolino, A., Daoudagh, S., El Kateb, D., Henard, C., Le Traon, Y., Lonetti, F., Marchetti, E., Mouelhi, T., Papadakis, M.: Similarity testing for access control. Inf. Softw. Technol. 58, 355–372 (2015)

    Article  Google Scholar 

  12. Bhartiya, S., Mehrotra, D., Girdhar, A.: Proposing hierarchy-similarity based access control framework: a multilevel electronic health record data sharing approach for interoperable environment. J. King Saud Univ. Comput. Inf. Sci. 29(4), 505–519 (2017)

    Article  Google Scholar 

  13. Xu, D., Shrestha, R., Shen, N.: Automated strong mutation testing of XACML policies. In: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies, pp. 105–116 (2020)

  14. Chen, E., Dubrovenski, V., Xu, D.: Mutation analysis of NGAC policies. In: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies, pp. 71–82 (2021)

  15. Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2012)

    Article  Google Scholar 

  16. Lin, D., Rao, P., Bertino, E., Li, N., Lobo, J.: EXAM: a comprehensive environment for the analysis of access control policies. Int. J. Inf. Security 9(4), 253–273 (2010)

    Article  Google Scholar 

  17. Mazzoleni, P., Crispo, B., Sivasubramanian, S., Bertino, E.: XACML policy integration algorithms. ACM Trans. Inf. Syst. Security (TISSEC) 11(1), 4 (2008)

    Article  Google Scholar 

  18. Ienco, D., Pensa, R.G., Meo, R.: Context-based distance learning for categorical data clustering. In: International Symposium on Intelligent Data Analysis, pp. 83–94. Springer, Cham (2009)

  19. Marouf, S., Shehab, M., Squicciarini, A., Sundareswaran, S.: Adaptive reordering and clustering-based framework for efficient XACML policy evaluation. IEEE Trans. Serv. Comput. 4(4), 300–313 (2010)

    Article  Google Scholar 

  20. Pei, X., Yu, H., Fan, G.: Achieving efficient access control via XACML policy in cloud computing. In: SEKE, pp. 110–115 (2015)

  21. Liu, A.X., Chen, F., Hwang, J., Xie, T.: Xengine: a fast and scalable XACML policy evaluation engine. In: ACM SIGMETRICS Performance Evaluation Review, vol. 36, pp. 265–276. ACM, New York (2008)

  22. Ngo, C., Makkes, M.X., Demchenko, Y., de Laat, C.: Multi-data-types interval decision diagrams for XACML evaluation engine. In: 2013 Eleventh Annual Conference on Privacy, Security and Trust, pp. 257–266. IEEE (2013)

  23. Ammar, N., Malik, Z., Bertino, E., Rezgui, A.: XACML policy evaluation with dynamic context handling. IEEE Trans. Knowl. Data Eng. 27(9), 2575–2588 (2015)

    Article  Google Scholar 

  24. Rezaeibagha, F., Mu, Y.: Access control policy combination from similarity analysis for secure privacy-preserved EHR systems. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 386–393. IEEE (2017)

  25. Rezvani, M., Rajaratnam, D., Ignjatovic, A., Pagnucco, M., Jha, S.: Analyzing XACML policies using answer set programming. Int. J. Inf. Security 18(4), 465–479 (2019)

    Article  Google Scholar 

  26. Deng, F., Jie, L., Wang, S.-Y., Pan, J., Zhang, L.-Y.: A distributed pdp model based on spectral clustering for improving evaluation performance. World Wide Web 22(4), 1555–1576 (2019)

    Article  Google Scholar 

  27. El Hadj, M.A., Ayache, M., Benkaouz, Y., Khoumsi, A., Erradi, M.: Clustering-based approach for anomaly detection in xacml policies. In: SECRYPT, pp. 548–553 (2017)

  28. Deng, F., Zhang, L.-Y.: Elimination of policy conflict to improve the pdp evaluation performance. J. Netw. Comput. Appl. 80, 45–57 (2017)

    Article  Google Scholar 

  29. Batra, G., Atluri, V., Vaidya, J., Sural, S.: Policy reconciliation and migration in attribute based access control. In: International Conference on Information Systems Security, pp. 99–120. Springer, Cham (2019)

  30. Lin, L., Hu, J., Mao, X., Zhang, J.: Saphena: an approach for analyzing similarity of heterogeneous policies in cloud environment. In: 2016 IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud), pp. 36–41. IEEE (2016)

  31. Helil, N., Rahman, K.: Attribute based access control constraint based on subject similarity. In: 2014 IEEE Workshop on Advanced Research and Technology in Industry Applications (WARTIA), pp. 226–229. IEEE (2014)

  32. Vijayalakshmi, K., Jayalakshmi, V.: A similarity value measure of abac security rules. In: 2021 5th International Conference on Trends in Electronics and Informatics (ICOEI), pp 565–571. IEEE, (2021)

  33. Vijayalakshmi, K., Jayalakshmi, V.: Resolving rule redundancy error in abac policies using individual domain and subset detection method. In: 2021 6th International Conference on Communication and Electronics Systems (ICCES), pp. 89–96. IEEE (2021)

  34. El Hadj, M.A., Khoumsi, A., Benkaouz, Y., Erradi, M.: Formal approach to detect and resolve anomalies while clustering abac policies. EAI Endorsed Trans. Security Saf. 5(16), e3 (2018)

  35. Schütze, H., Manning, C.D., Raghavan, P.: Introduction to Information Retrieval, vol. 39. Cambridge University Press, Cambridge (2008)

  36. Han, J., Pei, J., Kamber, M.: Data Mining: Concepts and Techniques. Elsevier, Amsterdam (2011)

  37. Deepak, P., Deshpande, P.M.: Operators for Similarity Search: Semantics, Techniques and Usage Scenarios. Springer, Cham (2015)

  38. Ahmadi, S., Nassiri, M., Rezvani, M.: XACBench: a XACML policy benchmark. Soft Comput. 24(21), 16081–16096 (2020)

    Article  Google Scholar 

  39. Ngo, C., Demchenko, Y., de Laat, C.: Decision diagrams for XACML policy evaluation and management. Comput. Security 49, 1–16 (2015)

    Article  Google Scholar 

Download references

Funding

This research has not been funded by any academic or industrial grant.

Author information

Authors and Affiliations

  1. Computer Department, Faculty of Engineering, Bu-Ali Sina University, Hamedan, Iran

    Zahra Katebi & Mohammad Nassiri

  2. Faculty of Computer Engineering, Shahrood University of Technology, Shahrood, Iran

    Mohsen Rezvani

Authors
  1. Zahra Katebi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mohammad Nassiri
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mohsen Rezvani
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

ZK: Writing-editing. MN and MR: Resources; Supervision; data analysis.

Corresponding author

Correspondence to Mohammad Nassiri.

Ethics declarations

Conflict of interest

Author A, Zahra Katebi, declares that she has no conflict of interest. Author B, Mohammad Nassiri, declares that he has no conflict of interest. Author C, Mohsen Rezvani, declares that he has no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Katebi, Z., Nassiri, M. & Rezvani, M. XACSim: a new tool for measuring similarity of XACML security policies. Cluster Comput 26, 3957–3972 (2023). https://doi.org/10.1007/s10586-022-03778-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10586-022-03778-x

Keywords

Search

Navigation