Evaluating Two Methods for WS-(Security) Policy Negotiation and Decision Making

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10033)

Abstract

Any communication between a Web Service Provider (WSP) and a Web Service Consumer (WSC) in Web Service (WS) systems need both parties to negotiate their security policies in order to reach an agreed upon security rules. However, reaching this agreement faces several issues. First, there are no current policy selection methods for the case of multiple compatible alternatives or any mechanism for the case no compatible alternatives. Second, the complexity of these security policy assertions written in XML language. In order to overcome these issues, we propose in this paper an evaluation for the policy intersection method in its current status and another one for two policy selection methods that are Lattice lub/glb and Fuzzy Multiple Criteria Decision Making (MCDM) using the Analytical Hierarchy Process (AHP) for policy selection and decision making. These two methods can be used as an extension for policy intersection to solve policy compatibility measurements for better interoperability. An implementation to evaluate the decision making methods is built. It is found that about 98.91 % of the total comparisons using both methods select the same set of security policies. Based on the evaluation findings we propose a negotiation process using the extended policy intersection using the two evaluated methods for final policy agreement.

Keywords

WS-Policy WS-Security Policy WS-Policy Intersection Boolean algebra WS-(Security) Policy Negotiation Apache Axis2 Apache Rampart Apache Neethi 

References

  1. 1.
    Web Service Policy 1.5 - Framework (2007). http://www.w3.org/TR/ws-policy/
  2. 2.
    Web Service Policy 1.5 - Primer (2007). http://www.w3.org/TR/ws-policy-primer/
  3. 3.
    Web Service Policy Intersection (2007). http://www.w3.org/TR/ws-policy/
  4. 4.
    Thompson, L.: The Mind and Heart of the Negotiator, 6th edn. Prentice-Hall Inc., Upper Saddle River (1998)Google Scholar
  5. 5.
    Patrick, C., Hung, K.: WS-Negotiation: an overview of research issues. In: International Journal of Web Services (IJWSR) NRC 49358. IEEE Press (2004)Google Scholar
  6. 6.
    Jang, J., Shi, H., Yoo, H.: Policy negotiation system architecture for privacy protection. In: 4th International Conference on Network Computing and Advanced Information Management, pp. 592–597. IEEE press (2008)Google Scholar
  7. 7.
    Korba, L., Yee, G.: The negotiation of privacy policies in distance education, In: 4th International Information Resources Management Association IRMA Conference. USA, NRC Publications, Philadelphia (2003)Google Scholar
  8. 8.
    Vivying, S., Cheng, Y., Hung, K., Patrick, C.: Enabling web services policy negotiation with privacy preserved using XACML. In: Proceedings of the 40th Hawaii International Conference on System Sciences, pp. 153–170. IEEE press (2007)Google Scholar
  9. 9.
    Warschofsky, R., Menzel, M., Meinel, C.: Transformation and aggregation of web service security requirements. In: IEEE 11th European Conference on Web Services, pp. 43–50. IEEE (2010)Google Scholar
  10. 10.
    Li, Y., Cuppens-Boulahia, N., Crom, J. Cuppens, F., Frey, V.: Reaching agreement in security policy negotiation. In: IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications Beijing, China. IEEE (2014)Google Scholar
  11. 11.
    Korba, L., Yee, G.: Security personalization for internet and web services. In: 37th Hawaii International Conference on System Sciences. NRC Publications (2007)Google Scholar
  12. 12.
    Lavarack, T., Coetzee, M.: A framework for web service security policy negotiation. In: 8th Annual Conference on Information Security for South Africa ISSA, pp. 153–170 (2009)Google Scholar
  13. 13.
    Elsafie, A., Schwenk, J.: Semi-automated Fuzzy MCDM and lattice solutions for WS-Policy intersection. In: 11th IEEE World Congress on Services (SERVICES), New York City, pp. 167–174. IEEE (2015)Google Scholar
  14. 14.
    Apache Neethi Framework for WS Policy (2014). http://ws.apache.org/neethi/
  15. 15.
    WS Policy Intersection functions (2014). https://ws.apache.org/neethi/PolicyIntersector.html
  16. 16.
    Strunk Jr., W., White, E.B.: Order Relation, 3rd edn. Macmillan, New York (1979)Google Scholar
  17. 17.
    van Leunen, M.-C.: Partial order. Knopf (1979)Google Scholar
  18. 18.
    Triantaphyllou, E., Mann, S.H.: Using the Analytic Hierarchy process for Decision making in engineering applications: some challenges. In: Proceedings International Journal of industrial Engineering: Applications and Practice, pp. 35–44, ISSN (1995)Google Scholar
  19. 19.
    Lavarack, T., Coetzee, M.: Considering web services security policy compatibility. In: The 9th Annual Information Security for South Africa Conference (ISSA), pp. 1–8. IEEE Press (2010)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  1. 1.Chair for Network and Data Security NDS, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institut Für IT-Sicherheit HGIRuhr-University BochumBochumGermany

Personalised recommendations