A distributed PDP model based on spectral clustering for improving evaluation performance

In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other com...

Full description

Saved in:
Bibliographic Details
Published inWorld wide web (Bussum) Vol. 22; no. 4; pp. 1555 - 1576
Main Authors Deng, Fan, Lu, Jie, Wang, Shi-Yu, Pan, Jie, Zhang, Li-Yong
Format Journal Article
LanguageEnglish
Published New York Springer US 01.07.2019
Springer Nature B.V
Subjects
Access control
Architecture
Clustering
Computer Science
Control systems design
Database Management
Information Systems Applications (incl.Internet)
Operating Systems
Security management
Systems analysis
Clustering and reordering
Spectral clustering
Evaluation performance
Distributed deployment
Policy decision point(PDP)
Online AccessGet full text

Cover

More Information
Summary:In modern access control systems, the Policy Decision Point (PDP) needs to be more efficient to meet the ever-growing demands of Web access authorization. Present XACML implementations of access control systems follow the same architecture based on ABAC, but varies in the design of PDP and other components. As a critical process in PDP, evaluation of attributes is often implemented in a simple and inefficient way in real applications. In order to improve the PDP evaluation performance, we propose a novel distributed PDP model, called XPDP, based on the combination of two-stage clustering and reordering to eliminate the limitation of computational performance of a single PDP. Firstly, we cluster rules based on subject and use spectral clustering method to perform further clustering. Secondly, the clusters of rules are reordered before evaluation for every inbound request based on similarity. Finally, we introduce a distributed PDP architecture for distributed deployment, providing with a brand new perspective of designing access control systems. A comparison in evaluation performance between the XPDP and the Sun PDP, as well as SBA-XACML, is made. In the experiment of using 10,000 synthetic access requests with three practical policy sets, the XPDP is 3.26 times faster than Sun PDP, and is 1.85 times faster than SBA-XACML. Experimental results show that the PDP evaluation performance can be prominently improved .
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1386-145X
1573-1413
DOI:10.1007/s11280-018-0588-8