The Conflict Notion and its Static Detection: a Formal Survey

The notion of policy is widely used to enable a flexible control of many systems: access control, privacy, accountability, data base, service, contract , network configuration, and so on. One important feature is to be able to check these policies against contradictions before the enforcement step. This is the problem of the conflict detection which can be done at different steps and with different approaches. This paper presents a review of the principles for conflict detection in related security policy languages. The policy languages, the notions of conflict and the means to detect conflicts are various, hence it is difficult to compare the different principles. We propose an analysis and a comparison of the five static detection principles we found in reviewing more than forty papers of the literature. To make the comparison easier we develop a logical model with four syntactic types of systems covering most of the literature examples. We provide a semantic classification of the conflict notions and thus, we are able to relate the detection principles, the syntactic types and the semantic classification. Our comparison shows the exact link between logical consistency and the conflict notions, and that some detection principles are subject to weaknesses if not used with the right conditions

Approaches for Testing and Evaluation of XACML Policies

Security services are provided through: The applications, operating systems, databases, and the network. There are many proposals to use policies to define, implement and evaluate security services. We discussed a full test automation framework to test XACML based policies. Using policies as input the developed tool can generate test cases based on the policy and the general XACML model. We evaluated a large dataset of policy implementations. The collection includes more than 200 test cases that represent instances of policies. Policies are executed and verified, using requests and responses generated for each instance of policies. WSO2 platform is used to perform different testing activities on evaluated policies

On Properties of Policy-Based Specifications

The advent of large-scale, complex computing systems has dramatically increased the difficulties of securing accesses to systems' resources. To ensure confidentiality and integrity, the exploitation of access control mechanisms has thus become a crucial issue in the design of modern computing systems. Among the different access control approaches proposed in the last decades, the policy-based one permits to capture, by resorting to the concept of attribute, all systems' security-relevant information and to be, at the same time, sufficiently flexible and expressive to represent the other approaches. In this paper, we move a step further to understand the effectiveness of policy-based specifications by studying how they permit to enforce traditional security properties. To support system designers in developing and maintaining policy-based specifications, we formalise also some relevant properties regarding the structure of policies. By means of a case study from the banking domain, we present real instances of such properties and outline an approach towards their automatised verification.Comment: In Proceedings WWV 2015, arXiv:1508.0338

DETECTING AND RESOVING ANOMALIES USER ANALYSIS ON FIREWALL POLICY IN SENSOR NETWORKS

The coming of arising figuring innovations, for example, administration situated engineering and distributed computing has empowered us to perform business benefits all the more proficiently and adequately. Nonetheless, we actually experience the ill effects of unintended security spillages by unapproved activities in business administrations. Firewalls are the most generally conveyed security system to guarantee the security of private organizations in many organizations and establishments. The adequacy of security assurance gave by a firewall basically relies upon the nature of strategy designed in the firewall. Lamentably, planning and overseeing firewall approaches are regularly mistake inclined because of the perplexing idea of firewall arrangements just as the absence of deliberate examination instruments and devices. In this paper, we speak to a creative approach inconsistency the executive’s structure for firewalls, embracing a standard based division strategy to recognize strategy oddities and infer powerful oddity goals. Specifically, we articulate a matrix based portrayal method, giving an instinctive psychological sense about arrangement inconsistency. We additionally talk about a proof-of-idea execution of a perception based firewall strategy examination device called Firewall Anomaly Management Environment (FAME). Likewise, we exhibit how proficiently our methodology can find and resolve inconsistencies in firewall approaches through thorough tests

Policy inconsistency detection bassed on RBAC model in cross-organizational collaboration

Policy integration and conflict resolutions among various organizations still remain a major challenge.Moreover, policy inconsistency detection approach with logical reasoning techniques which considers integration requirements from collaboration parties has not been well studied.In this paper, we proposed a model to detect inconsistencies based on role-based access control (RBAC) that considers role hierarchy (RH) and temporal and spatial constraints.A model to prune and collect only the required policies based on access control requirements from different organizations is designed.Policy inconsistency detection should be enhanced with logical-based analysis in order to develop security policy integration.We believe this work could provide manner to filter a large amount of unrelated policies and only return potential collaboration policies for conflict resolution

The National Transport Data Framework

Report by Professor Peter Landshoff (Cambridge University) and Professor John Polak (Imperial College London) on a project for the Department for Transport. emails: [email protected] [email protected] NTDF is designed to be a resource for data owners to deposit descriptions into a central catalogue, so that people can search for data and find data and understand their characteristics. The value of this is to individuals, to commercial organizations, and to public bodies. For example, services that provide better information to travellers will help to make their journey less stressful and persuade them to make more use of public transport. Transport operators need very diverse information to help them plan developments to their services: demographic, geographical, economic etc. And policy makers need a similar range of information to help them decide how to divide their budget and afterwards to evaluate how valuable it has been.This work was supported by the Department for Transport (DfT)

An Effective Modality Conflict Model for Identifying Applicable Policies During Policy Evaluation

Policy evaluation is a process to determine whether a request submitted by a user satisfies the access control policies defined by an organization. Modality conflict is one of the main issues in policy evaluation. Existing modality conflict detection approaches do not consider complex condition attributes such as spatial and temporal constraints. An effective authorization propagation rule is needed to detect the modality conflicts that occur among the applicable policies. This work proposes a modality conflict detection model to identify the applicable policies during policy evaluation, which supports an authorization propagation rule to investigate the class-subclass relationships of a subject, resource, action, and location of a request and a policy. The comparison with previous work is conducted, and findings show the solution which considers the condition attribute (i.e. spatial and temporal constraints) can affect the decision as to whether the applicable policies should be retrieved or not which further affect the accuracy of the modality conflict detection process. Whereas the applicable policies which are retrieved for a request can influence the detection of modality conflict among the applicable policies. In conclusion, our proposed solution is more effective in identifying the applicable policies and detecting modality conflict than the previous work