Analysis And Composition Of Security Policies For Multi-Domain Collaboration

Resource sharing and system interoperation based on web is the key way of cooperation among organizations. It is important to protect cooperative partners' system for assuring the sharing resource security. Access control is the key technology to protect information system by restricting every request to resources. The development of access control relies on security policy. The security policy is the permitting or denying rules about system access designed by organizations according to security requirement and business target. In the multi-domain cooperative applications, how to analyze and compose different policies effectively to balance the information security and the efficiency of cooperation is a very important issue.Policy similarity is the degree of similarity about security restriction in subject, resource or action belonging to different policies. The similarity compares the common and different parts in rights assignment among policies and provides further approaches such as fine-grained policy analysis or policy composition by returning the most similar policies. In multi-domain environment, the resource belonging to different organizations is controlled by different policies. It requires the organization should protect its own resource and also comply with other access control systems. The purpose of policy composition is integrating different policies for building a mutual trust cooperative environment to improve the cooperation efficiency. The cooperative policy generating research is a kind of policy composition approaches focusing on the attributes composition. The cooperative policy is the common parts of corresponding attributes in different policies. It expresses the same security requirement of cooperative organizations. Extracting the common characters among policies to generate the cooperative policy can guarantee the fairness of cooperation, make a greater degree on resource sharing and improve the efficiency of cooperation.In the multi-domain cooperative environment, each partner belongs to different administrator. They manage resource and access control systems independently. It makes policies heterogeneously. However, the recent policy similarity analyses rely on the same concept hierarchy and concept expression in computing. They don't consider the heterogeneous hierarchies and can not compute the heterogeneous policies similarity which is more common in web environment. In the policy composition research domain, the recent approaches mostly focus on the decision scheme composition rather then cooperative policy generating. They don't consider on the policy common characters extracting side to emphasize the fairness of cooperation and efficiency improvement.In this paper, we propose two algorithms based on XACML policy language for the heterogeneous policy similarity analysis and cooperative policy generating. The XACML language is the standard of OASIS for expressing security policy. It provides complete access control and authorization systems standard. The XACML is widely used to express security policy in web environment and all of our approaches are based on it. The main contributions of this paper are:In the research of policy similarity analysis, we propose the heterogeneous policy similarity computation algorithm having two steps. The first one extracts attribute values in policies and maps them to the corresponding concept hierarchy, and then merges the different concept hierarchies into a uniform one. In the second process, we calculate the change of relative position on each node and the change of semantic distance among nodes after merging to obtain the similarity. The concept hierarchies merging can eliminate semantic heterogeneity among concepts and the calculation based on the change of relative position on nodes and semantic distance can improve the results accuracy. We experiment the algorithm by selecting different concept hierarchies and policy instances. The results show that the algorithm is feasible in efficiency and can avoid getting the same similarity which is inappropriate in recent policy similarity research.In the research of cooperative policy generating, we propose the policy common characters extracting algorithm. The algorithm translates the rules of policy into compound Boolean expression at first, and then makes paradigm logic transformation for rules and decomposes them based on concept hierarchy. The result of decomposition is generating atom rules in which each attribute has only one value. The common characters are extracted by comparing each attribute values in atom rules. Extracting after decomposition can improve the efficiency and the decomposition relying on concept hierarchy can avoid omitting any common character between policies. We also experiment the algorithm by constructing different scale policies and hierarchies to analyze the efficiency of algorithm with the number of rules in security policy, of attribute values in rules, of regions in numeric attributes and of nodes in concept hierarchy. The results show that the algorithm is feasible in efficiency.