Performance analysis of dynamic ABAC systems using a queuing theoretic framework

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-20 DOI:10.1016/j.cose.2025.104432

Gaurav Madkaikar , Karthikeya S.M. Yelisetty , Shamik Sural , Jaideep Vaidya , Vijayalakshmi Atluri

{"title":"Performance analysis of dynamic ABAC systems using a queuing theoretic framework","authors":"Gaurav Madkaikar , Karthikeya S.M. Yelisetty , Shamik Sural , Jaideep Vaidya , Vijayalakshmi Atluri","doi":"10.1016/j.cose.2025.104432","DOIUrl":null,"url":null,"abstract":"<div><div>A policy comprised of a set of rules forms the backbone of Attribute-based Access Control (ABAC) systems. Every incoming request is checked against such a policy and if at least one rule grants the access, it is allowed. Else, access is denied. The initial ABAC policy could be hand crafted by the security administrator or mined from a given set of authorizations using a policy engineering technique. In dynamic ABAC systems, over a period of time, additional authorizations may have to be granted or some removed as per situational changes. These changes are maintained in an auxiliary list. For access resolution, both the policy as well as the auxiliary list are considered before taking a decision. Since such a list can grow indefinitely and checking it adversely affects access resolution efficiency, periodic policy rebuilding must be done by combining the existing policy and the auxiliary list. However, regenerating the ABAC policy requires re-running computationally expensive policy mining algorithms. Further, access mediation has to be put on hold while this step is being carried out, resulting in periods of unavailability of the system. In this paper, we study the intricate problem of balancing access request resolution, accommodating dynamic authorization updates, and ABAC policy rebuilding. We employ a queuing theoretic approach where the access mediation process is modeled as an M/G/1 queue with vacation or limited service. While the server is primarily involved in resolving access requests, it occasionally goes on vacation to rebuild the ABAC policy. We study the effect of queue discipline on several performance parameters like request arrival rate, access resolution time, vacation duration and interval between vacations. Results of an extensive set of experiments provide a direction toward efficient implementation of dynamic ABAC systems.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104432"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S016740482500121X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

A policy comprised of a set of rules forms the backbone of Attribute-based Access Control (ABAC) systems. Every incoming request is checked against such a policy and if at least one rule grants the access, it is allowed. Else, access is denied. The initial ABAC policy could be hand crafted by the security administrator or mined from a given set of authorizations using a policy engineering technique. In dynamic ABAC systems, over a period of time, additional authorizations may have to be granted or some removed as per situational changes. These changes are maintained in an auxiliary list. For access resolution, both the policy as well as the auxiliary list are considered before taking a decision. Since such a list can grow indefinitely and checking it adversely affects access resolution efficiency, periodic policy rebuilding must be done by combining the existing policy and the auxiliary list. However, regenerating the ABAC policy requires re-running computationally expensive policy mining algorithms. Further, access mediation has to be put on hold while this step is being carried out, resulting in periods of unavailability of the system. In this paper, we study the intricate problem of balancing access request resolution, accommodating dynamic authorization updates, and ABAC policy rebuilding. We employ a queuing theoretic approach where the access mediation process is modeled as an M/G/1 queue with vacation or limited service. While the server is primarily involved in resolving access requests, it occasionally goes on vacation to rebuild the ABAC policy. We study the effect of queue discipline on several performance parameters like request arrival rate, access resolution time, vacation duration and interval between vacations. Results of an extensive set of experiments provide a direction toward efficient implementation of dynamic ABAC systems.

查看原文本刊更多论文

基于排队理论框架的动态ABAC系统性能分析

由一组规则组成的策略构成了基于属性的访问控制（ABAC）系统的骨干。根据这样的策略检查每个传入请求，如果至少有一个规则授予访问权限，则允许访问。否则，拒绝访问。初始ABAC策略可以由安全管理员手工制作，也可以使用策略工程技术从给定的授权集中挖掘。在动态ABAC系统中，在一段时间内，可能需要根据情况变化授予或删除一些额外的授权。这些更改保存在辅助列表中。对于访问解析，在做出决定之前要考虑策略和辅助列表。由于这样的列表可以无限增长，并且检查它会对访问解析效率产生不利影响，因此必须通过结合现有策略和辅助列表来进行定期策略重建。然而，重新生成ABAC策略需要重新运行计算开销较大的策略挖掘算法。此外，在执行此步骤时，访问中介必须暂停，从而导致系统不可用。本文研究了访问请求解析、动态授权更新和ABAC策略重建的平衡问题。我们采用排队论方法，将访问中介过程建模为具有休假或有限服务的M/G/1队列。虽然服务器主要参与解析访问请求，但它偶尔会休假以重建ABAC策略。研究了队列纪律对请求到达率、访问解析时间、休假持续时间和休假间隔等性能参数的影响。大量的实验结果为动态ABAC系统的有效实现提供了方向。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.