Improving the attribute retrieval on ABAC using opportunistic caches for Fog-Based IoT Networks

Abstract

Attribute-Based Access Control (ABAC) is one of the most popular and fits access control methods for the Internet of Things (IoT). Yet, despite its popularity, just a few works address the attribute management and retrieval challenges that ABAC carries when applied to IoT. ABAC builds access policies using attributes, and most of the attributes needed for a policy evaluation in a massive and mobile IoT scenario come from an external source. As a result, the policy decision point must send an across-the-network attribute request for each policy evaluation, impacting ABAC latency and performance. Deploying attribute caches over the network can mitigate this problem, thus reducing the latency to get the needed attributes. However, due to attributes dynamic nature, the cost of keeping those caches refreshed increases for each new replica stored. Since the refreshment cost may get out of hand for massive and mobile IoT scenarios, this article presents a method to increase the performance of attribute caches without a considerable cost. The proposed method considers the mobility pattern of IoT devices and predicts where an attribute request will occur. Then, the new method proactively places the attributes closer to the subsequent access request, avoiding unnecessary caching. This approach enhances the tradeoff between the cost of creating a new replica and the benefits to the ABAC performance. Moreover, we characterize an actual authorization application running into the campus, and we use its logs to evaluate the method through trace-driven simulations. Evaluation results show our new approach can reduce up to 80% in the number of hops to achieve the attributes in the caches at negligible refreshment cost.