TY - GEN
T1 - Statistics & clustering based framework for efficient XACML policy evaluation
AU - Marouf, Said
AU - Shehab, Mohamed
AU - Squicciarini, Anna
AU - Sundareswaran, Smitha
PY - 2009
Y1 - 2009
N2 - The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a policy set and policy respectively in respect to target subjects. Furthermore, we propose a usage based framework that computes access request statistics to dynamically optimize the ordering of policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than the standard Sun PDP.
AB - The adoption of XACML as the standard for specifying access control policies for various applications, especially web services is vastly increasing. A policy evaluation engine can easily become a bottleneck when enforcing large policies. In this paper we propose an adaptive approach for XACML policy optimization. We proposed a clustering technique that categorizes policies and rules within a policy set and policy respectively in respect to target subjects. Furthermore, we propose a usage based framework that computes access request statistics to dynamically optimize the ordering of policies within a policy set and rules within a policy. Reordering is applied to categorized policies and rules from our proposed clustering technique. To evaluate the performance of our framework, we conducted extensive experiments on XACML policies. We evaluated separately the improvement due to categorization and to reordering techniques, in order to assess the policy sets targeted by our techniques. The experimental results show that our approach is orders of magnitude more efficient than the standard Sun PDP.
UR - http://www.scopus.com/inward/record.url?scp=71049192853&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=71049192853&partnerID=8YFLogxK
U2 - 10.1109/POLICY.2009.36
DO - 10.1109/POLICY.2009.36
M3 - Conference contribution
AN - SCOPUS:71049192853
SN - 9780769537429
T3 - Proceedings - 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009
SP - 118
EP - 125
BT - Proceedings - 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009
T2 - 2009 IEEE International Symposium on Policies for Distributed Systems and Networks, POLICY 2009
Y2 - 20 July 2009 through 22 July 2009
ER -