Information Technology Reference
In-Depth Information
The results of experiment show that: our conflict-related rules detection tool for AC
policy is correctness: it detected all the conflict-related rules for access control policy,
instead of detect the two rules with opposite actions, and this advantage makes our tool
can help security administrator understand the information of the conflict situation
more comprehensively.
5.2
Effectiveness Evaluation
Colored petri net (CPN) is an important method to represent and analyze the policy
semantic [13]. In order to evaluate the efficiency of the proposed tool, we compare the
response time of our tool and CPN based conflict detection tool. The test results
represents as Fig.2.
Aceess control rules size
Fig. 2.
Performance evaluation
The results of Fig.2 show that the response time of conflict-related rules detection
tool is under 920s even the rule set size reaches 300, and the performance of our tool is
obviously better than CPN based conflict detection tool's, because :
1) The CPN based method represent conflict-related rules and access control rules
with place, transition, token and so on, which has many state results to long process time.
2) Our method represents conflict-related rules and access control rules with concepts
and relations based on description logic, besides the tableau algorithm of the description
logic has been optimized.
6
Conclusion
To detect the rules about conflict situation more comprehensively, this paper abstracted
all the rules of the conflict situation as the concept of “conflict-related rules” and im-
plemented a conflict detection tool. We analyzed the semantics of access control pol-
icy, and formally represented it with set theory; we defined the conflict-related rule for
access control policy and deducted its extension. Based on the description logic, we
realized the tool to detect conflict-related rules and we validated the correctness and
