Performance analysis of dynamic ABAC systems using a queuing theoretic framework

Abstract

A policy comprised of a set of rules forms the backbone of Attribute-based Access Control (ABAC) systems. Every incoming request is checked against such a policy and if at least one rule grants the access, it is allowed. Else, access is denied. The initial ABAC policy could be hand crafted by the security administrator or mined from a given set of authorizations using a policy engineering technique. In dynamic ABAC systems, over a period of time, additional authorizations may have to be granted or some removed as per situational changes. These changes are maintained in an auxiliary list. For access resolution, both the policy as well as the auxiliary list are considered before taking a decision. Since such a list can grow indefinitely and checking it adversely affects access resolution efficiency, periodic policy rebuilding must be done by combining the existing policy and the auxiliary list. However, regenerating the ABAC policy requires re-running computationally expensive policy mining algorithms. Further, access mediation has to be put on hold while this step is being carried out, resulting in periods of unavailability of the system. In this paper, we study the intricate problem of balancing access request resolution, accommodating dynamic authorization updates, and ABAC policy rebuilding. We employ a queuing theoretic approach where the access mediation process is modeled as an M/G/1 queue with vacation or limited service. While the server is primarily involved in resolving access requests, it occasionally goes on vacation to rebuild the ABAC policy. We study the effect of queue discipline on several performance parameters like request arrival rate, access resolution time, vacation duration and interval between vacations. Results of an extensive set of experiments provide a direction toward efficient implementation of dynamic ABAC systems.