ABAC-Based Security Model for DDS

Abstract

Security is increasingly critical in data communication of distributed environments. DDS is a middleware standard for data-centric publish/subscribe communication in a large scale real-time environment. DDS provides a security model for secure data communication. A major service of the security model is authorization. The authorization is based on the contents of messages rather than the information about the participant which should be the subject for access control. In this article, we present a novel approach for improved authorization of the DDS security model using ABAC. We first analyze the DDS security model and identify integration points for ABAC. Based on the analysis, we incorporate ABAC entities into the security model with ABAC behaviors defined across RTPS and DCPS. We implemented the model in XACML and evaluated by applying it to a patient monitoring system in the healthcare domain for its effectiveness, scalability, and efficiency in a controlled environment. The evaluation on effectiveness demonstrates that the model successfully enforces access control during the discovery process in a dynamic changing setting. The evaluation on scalability and efficiency demonstrates that the model is capable of handling 1,050 access requests simultaneously under the average of 40.60 milliseconds which satisfies the TT3 requirements in IEC 61850-5 with the average ABAC overheads of 10.62 milliseconds accounting for 26.67 percent of the communication time.