An experimental testbed to predict the performance of XACML Policy Decision Points
- 1 May 2011
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- p. 353-360
- https://doi.org/10.1109/inm.2011.5990711
Abstract
The performance and scalability of access control systems is a growing concern as organisations deploy ever more complex communications and content management systems. This paper describes how an (offline) experimental testbed may be used to address performance concerns. To begin, timing measurements are collected from a server component incorporating the Policy Decision Point (PDP) under test, using representative policies and corresponding requests. Our experiments with two XACML PDP implementations show that measured request service times are typically clustered by request type; thus an algorithm for request cluster identification is presented. Cluster characterisations are used as inputs to a PDP performance model for a given policy/request mix and an analytic (queueing) model is used to estimate the equilibrium server load for different mixes of request clusters. The analytic performance prediction model is validated and extended by discrete event simulation of a PDP subject to additional load. These predictive models enable network administrators to explore the capacity of the PDP for different overall loadings (requests per unit time) and profiles (relative frequencies) of requests.Keywords
This publication has 13 references indexed in Scilit:
- XACML policy performance evaluation using a flexible load testing frameworkPublished by Association for Computing Machinery (ACM) ,2010
- Statistics & Clustering Based Framework for Efficient XACML Policy EvaluationPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Performance evaluation of XACML PDP implementationsPublished by Association for Computing Machinery (ACM) ,2008
- A framework for measurement based performance modelingPublished by Association for Computing Machinery (ACM) ,2008
- Conformance Checking of Access Control Policies Specified in XACMLIEEE Annual International Computer Software and Applications Conference (COMPSAC), 2007
- Analyzing web access control policiesPublished by Association for Computing Machinery (ACM) ,2007
- Dynamic rule-ordering optimization for high-speed firewall filteringPublished by Association for Computing Machinery (ACM) ,2006
- Defining and Measuring Policy Coverage in Testing Access Control PoliciesLecture Notes in Computer Science, 2006
- Verification and change-impact analysis of access-control policiesPublished by Association for Computing Machinery (ACM) ,2005
- Extending query rewriting techniques for fine-grained access controlPublished by Association for Computing Machinery (ACM) ,2004