A novel conflict detection method for ABAC security policies

Abstract

Attributed-based access control (ABAC) is widely used in systems with large resources and users such as the Industrial Internet of Things (IIoT), Industrial information integration system, and so on. Attribute-based security policy is highly flexible and expressive, but conflicts between policies occur frequently, affecting the security and availability of the system. Based on analyzing the ABAC security policies represented by the eXtensible Access Control Markup Language (XACML), this study proposes a formal definition of explicit conflicting rules, probable-conflicting rules, and never-conflicting rules. Also, we found that conflicts occur on a pair of rules in which attribute expressions have overlapping values and that be applied to the same request. A new conflict detection method is proposed in which implicit conflicting rules are converted to explicit conflicting rules by completing the absent attribute expressions and then compare all the rules in pairs to detect all the probable conflicting rules in a rule set. In this way, we can analyze the conflicting probability of each pair of policy rules. Furthermore, we define two metrics to evaluate the conflict level of a rule set. Experiment results show that implicit conflicting rules are more numerous than explicit conflicting rules in the policy set. Also, with an increase in the number of attribute expressions in each rule, the conflicting level of a rule set is significantly reduced, which provides a reference for policymaking. With this method, administrators can formulate more robust and efficient security policies, improve the security and availability of systems.