Heterogeneity policy evaluation with modality conflict analysis
Policy evaluation is a process to determine whether a request satisfies the access control policies. There are two main phases in the policy evaluation, namely: (i) matching the attribute values of a request and a policy, and (ii) detecting modality conflict. Existing policy evaluation engines ut...
Saved in:
| Main Author: | |
|---|---|
| Format: | Thesis |
| Language: | English |
| Published: |
2017
|
| Subjects: | |
| Online Access: | http://psasir.upm.edu.my/id/eprint/83245/1/FSKTM%202017%2069%20-%20ir.pdf http://psasir.upm.edu.my/id/eprint/83245/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Policy evaluation is a process to determine whether a request satisfies the
access control policies. There are two main phases in the policy evaluation,
namely: (i) matching the attribute values of a request and a policy, and (ii)
detecting modality conflict. Existing policy evaluation engines utilized a simple
string equal matching function, but they do not explore naming heterogeneity.
The authorizations could be propagated according to the inheritance
relationships between concepts along not only subject, resource, action, but
also location hierarchies. This thesis aimed to propose matching functions
which are not limited to string equal matching function that aim to resolve
naming heterogeneity, namely: synonym equal, hyponym, syntactical-synonym
equal, syntactical-hyponym, syntactical equal, hyponym common word, and
abbreviation equal. An authorization propagation rule is proposed to identify the
applicable policies, which relies on inheritance relationships between concepts,
on the basis of the partially ordered structures obtained by classifying subject,
resource, action, and condition attributes. Our solution assists the policy
administrators in filtering out the irrelevant policies which helps them to resolve
the modality conflict among the applicable policies before the actual policy
evaluation taken place. We have evaluated the effectiveness of our proposed
solution on real XACML policies for university, conference management, and
health-care domain. Our solution resulted lower percentage of R but higher
percentage of P and F for all sets of policies when more attributes are
considered in retrieving the applicable policies and in detecting the modality
conflict compared when these constraints are not considered. Our solution
achieved the higher percentage of P, R and F in matching the attribute values
of a request and a policy, in retrieving the applicable policies, and in detecting
modality conflict as compared to the previous work. The accuracy of the
proposed solution indicates that our proposed solution is better than the Sun's
XACML implementation in policy evaluation. |
|---|