Abstract
Access control facilitates controlled sharing and protection of resources in an enterprise. However, given the ubiquity of collaborative applications and scenarios, enterprises no longer function in isolation. Being able to measure policy similarity and integrate heterogeneous policies appropriately is an essential step towards secure interoperation. Existing approaches for measuring policy similarity are based on computing similarity between different components of the access control policy. However, this does not provide a pathway for integrating policies, and may not sufficiently take the security context into account. In this paper, we propose a holistic change detection approach that enables policy similarity evaluation and policy migration. Our approach more comprehensively takes into account different access control semantics to compute policy similarity and finds the common organizational policy with the least cost.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Agrawal, D., Giles, J., Lee, K.-W., Lobo, J.: Policy ratification. In: POLICY 2005, pp. 223–232. IEEE Computer Society, Washington, DC (2005)
Backes, M., Dürmuth, M., Steinwandt, R.: An algebra for composing enterprise privacy policies. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 33–52. Springer, Heidelberg (2004)
Bonatti, P., De Capitani di Vimercati, S., Samarati, P.: An algebra for composing access control policies. ACM Transactions on Information and System Security 5(1), 1–35 (2002)
Bruns, G., Dantas, D.S., Huth, M.: A simple and expressive semantic framework for policy composition in access control. In: Proceedings of the 5th ACM Workshop on Formal Methods in Security Engineering (2007)
Cobena, G., Abiteboul, S., Marian, A.: Detecting changes in xml documents. In: ICDE (2002)
Dawson, S., Qian, S., Samarati, P.: Providing security and interoperation of heterogeneous systems. Distributed and Parallel Databases 8, 119–145 (2000)
Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: Verification and change-impact analysis of access-control policies. In: ICSE, pp. 196–205 (2005)
Gong, L., Qian, X.: Computational issues in secure interoperation. IEEE TSE 22(1), 43–52 (1996)
Koch, M., Mancini, L.V., Parisi-Presicce, F.: On the specification and evolution of access control policies. In: SACMAT 2001, pp. 121–130 (2001)
Lin, D., Rao, P., Bertino, E., Lobo, J.: An approach to evaluate policy similarity. In: SACMAT 2007, pp. 1–10. ACM, New York (2007)
Lupu, E., Sloman, M.: Conflicts in policy-based distributed systems management. IEEE TSE 25(6), 852–869 (1999)
Mazzoleni, P., Bertino, E., Crispo, B., Sivasubramanian, S.: Xacml policy integration algorithms: not to be confused with xacml policy combination algorithms! In: SACMAT 2006, New York, NY, USA, pp. 219–227 (2006)
McDaniel, P., Prakash, A.: Methods and limitations of security policy reconciliation. ACM Transactions on Information and System Security 9(3) (2006)
Moffett, J.D., Sloman, M.S.: Policy conflict analysis in distributed system management. Journal of Organizational Computing (1993)
Moses, T.: Extensible access control markup language (XACML) version 1.0. Technical report, OASIS (2003)
Peters, L.: Change detection in XML trees: a survey. In: 3rd Twente Student Conference on IT. University of Twente, June 2005
Shafiq, B., Joshi, J., Bertino, E., Ghafoor, A.: Secure interoperation in a multidomain environment employing rbac policies. IEEE Trans. Knowl. Data Eng. 17(11), 1557–1577 (2005)
Lin, D., Rao, P., Ferrini, R., Bertino, E., Lobo, J.: A similarity measure for comparing XACML policies. IEEE Trans. Knowl. Data Eng. 25(9), 1946–1959 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Vaidya, J., Shafiq, B., Atluri, V., Lorenzi, D. (2015). A Framework for Policy Similarity Evaluation and Migration Based on Change Detection. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-25645-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25644-3
Online ISBN: 978-3-319-25645-0
eBook Packages: Computer ScienceComputer Science (R0)