Decision-cache based XACML authorisation and anonymisation for XML documents

(1)

NilsUlltveitMoe *

, VladimirOleshhuk

UniversityofAgder,serviebox509,N4898Grimstad,Norway

Abstrat

This paper suggests a ne-grained authorisation model based on the eXtensible Aess Control Markup Language

(XACML) for XML based messagesand douments, that is extended to support privay-enhanedanonymisationof

XML elements ontainingsensitive information. The solutionimplements adeisionahe forXACML deisionsand

anonymisation poliies. The deision ahe is implemented as an XACML obligations servie, where a speiation

of the XML elementsto be authorised and anonymised is sent to the deisionahein thePoliy EnforementPoint

(PEP) during initial authorisation. Further authorisation of individual XML elements aordingto the authorisation

speiationisthenperformedonallmathingXMLresoures,anddeisionsarestoredinthedeisionahe. Thismakes

itpossibletoahene-grainedXACMLauthorisationandanonymisationdeisions,whihreduestheauthorisationload

onthePoliyDeisionPoint(PDP).Thetheoretialsolutionisrelatedtoapratialasestudyonsistingofa

privay-enhaned intrusion detetion system that needs to perform anonymisationof Intrusion Detetion Message Exhange

Format(IDMEF)XMLmessagesbeforetheyaresenttoaseurityoperationsentrethatoperatesinprivay-preserving

mode. Thesolutioninreasesthe salabilityofXACML basedauthorisationsigniantly, andmaybeinstrumental in

implementingfederatedauthorisationandanonymisationbasedonXACMLinseveralareas,inludingintrusiondetetion

systems,webservies,ontentmanagementsystemsandGRID basedauthentiationand authorisation.

Keywords: PrivayPoliy,Authorisation,Anonymisation,Cahing, XML, IDS, XACML

1. Introdution

TheeXtensibleAessControlMarkupLanguage

(XACML)isanaessontrolpoliylanguagethatis

gain-ingpopularity[1℄. Itanforexamplebeusedtogetherwith

theSeurityAssertionMarkupLanguage(SAML)for

au-thorisationofwebservies. Itanalsobeusedfor

autho-risationinfederatedenvironmentslikeShibboleth 1

,orfor

givingusersontrolovertheirdata[2℄. Ourobjetiveisto

use XACML forne-grainedauthorisation and

anonymi-sationofIDMEFXMLmessagesfromIntrusionDetetion

Systems(IDS), inorder toontrol whatinformation that

anbedisseminatedtowhofromanIDSservie.

Therearealsootherauthorisationlanguagesthatould

have been onsidered. For example the Enterprise

Pri-vay AuthorisationLanguage(EPAL) [3℄orthePlatform

for Privay Preferenes (P3P) [4℄. P3P is moreend-user

orientedfousing mainly on web based authorisation. It

seems to lak the rih funtionality and extensibility of

XACMLandisperhapsmoreasupplementthana

replae-ment to XACMLfor web-basedauthorisations. XACML

aninmanyrespetsbeonsideredasupersetofEPAL[5℄.

However EPAL supports obligations, so a similar

frame-work for ahe ontrol and anonymisation of XML data

∗

Correspondingauthor. Phone: +4791876897,fax: 37233001.

Emailaddresses: nils.ulltveit-moeuia.no (NilsUlltveit

Moe *

),vladimir.oleshhukuia.no (VladimirOleshhuk)

1

Seehttp://shibboleth.internet2.edu

may be possible to implement also for this poliy

lan-guage. ThemainreasonforhoosingXACML,isthatitis

amatureOASISstandard[1℄,that tswellintoaServie

Oriented Arhiteture(SOA). Furthermore,XACML has

quitebroadvendorsupportomparedto EPAL.

However,alimitationwithXACMListhattheurrent

implementationsdonotsalewell [6℄. It isaforexample

ariskthattheentralruleproessingengineinthePoliy

Deision Point (PDP) may be a bottlenek for a

poten-tiallylargeamountofauthorisationrequestsfrom

individ-ualXML elements. Anotherhallenge, thathasnotbeen

solvedasfarasweareawareof,ishowtodone-grained

anonymisationorpseudonymisationofXMLdoumentsor

messagesbyusing XACML.Weproposehowthisanbe

mitigatedbyaddingadeisionaheasanXACML

obli-gations servie that an store deisions based on unique

keyvalues.

Our solutionis notlimitedto the domain ofIDS

ser-vies. Fine-grained aess ontrol and anonymisationof

XMLdoumentsbakedupbyalient-sidedeisionahe

may also beuseful for GRID servies to provide a more

salableauthorisationthat eetivelyandelegatesimple

deisions to a distributed set of deision ahes. It an

beusefulforauthorisationandanonymisationofweb

ser-vies, middleware likefor exampleJBossorevenontent

managementsystems,in orderto ensurethatsome

(2)

!

" #

$ %

&

'

(

#

)

*

"+

"" ,

" ,

"!

-./

Figure1:XACMLarhiteturewithdeisionahe.

Inthatrespet,thesolutionanalsoberegardedasa

sim-ple XACMLontrolledappliation levelrewallforXML

douments.

This paper is organised as follows: The next setion

givesanintrodutionto XACML andanoverview ofthe

proposed solution. i Setion 3 desribes thearhiteture

and Setion 4 overs the tehnial solution in more

de-tail. Setion 5 shows an example authorisation of XML

resouresbasedontheproposedXACMLsolution

inlud-ing initialauthorisation,individualelementauthorisation

requestandresponseanddeisionahehandling. Setion

6desribestheeienyoftheproposedsolution. Related

workissubsequentlydisussedinSetion 7andSetion 8

onludesthepaperandgivessomesuggestionsforfurther

researh.

2. Overview ofthe ProposedSolution

XACMLis anaessontrolpoliy languagebasedon

poliies written in XML. It uses a model for aess

on-trol that learly separates poliy deisions in the Poliy

DeisionPoint(PDP)from poliy enforementthePoliy

EnforementPoint(PEP)asshowninFigure1. The

Con-text Handler and Poliy Information Point (PIP) ensure

that subjets,resouresandotherenvironmentattributes

an be made available to thePDP when poliies are

be-ing evaluated. Subjets, resouresandenvironmental

at-tributes an also be passed in via the XACML Request

message. We usethis approah, sinetheanonymisation

and authorisation serviebasially is anextension of the

PEP.

OursolutionimplementsanXMLauthorisationservie

that isintegrated withboththePEP andtheobligations

servie. Theobligationsserviefurthermoremanagesthe

deisionahe.

spetive,itispreferabletobeabletoreuseXACMLasfar

aspossible forne-grainedauthorisationand

anonymisa-tionofXMLdoumentsandmessages.Thisisviableunder

theassumptionthataessontroldeisionsfor

authorisa-tionoranonymisationsanberegardedasnalanddonot

hangewithinadenedtimespan. Thismeansthatan

a-essontroldeisiontopublish sensitivematerialwillnot

beundone orreonsideredunder normalirumstanes.

Rules foraess ontrolpoliies willin manyasesbe

stati, meaning that theyare basedon some stable

on-ditions. Forexamplerulesusingxed stringsorrule

pat-ternsidentifying IP addresses, e-mail addresses orURLs

aessed. Forstatirules,itwillbepossibletohave

dei-sionaheentrieswithinniteexpirytime,thatonlywill

beejeted from the aheif the ahe is invalidated, for

exampledueto anupdatedauthorisationpoliy. Inother

ases it may be useful to only grant aess for a limited

timeperiodbeforeauthorisationneedstoberenegotiated.

Utilising a deisionahing authorisationsystemalso

meansthataheentriesandrulesanbemademuh

sim-plerthantheoriginalXACMLexpressions,howeveratthe

expenseofusingmorememory. Itanhoweverbeexpeted

that the ahe hasa minimum working set of ative

au-thorisations,whihmeansthatthedeisionahewillneed

at least aertain amountof memoryfor aheentries in

order to operate eiently. However, if the working set

ofaheddeisionst into memory, thenthe loadonthe

XACML rule engine is expeted to be tolerable. These

assumptions make it viableto use aahing strategy for

aessontroldeisions.

3. Arhiteture

Figure2illustrateshowtheXACML-based

anonymis-ing proxyfor IDMEF XML reports is implemented.

Ini-tially,theManagedSeurityServie(MSS)providerswill

beauthorisedtowardsthePEP.Inthisexample,twoMSS

providersare shown: anoutsouredrstline serviethat

only is allowed to see anonymised IDS alerts and a

se-ond lineservie, possiblyrun in-house, that ansee

non-anonymisedIDMEFalerts. Thisinitialauthorisationopens

aseureonnetionfromtheanonymiserthreadandtothe

alertdatabaseoftheMSSprovider.

ThentheIDSsensorsareauthorisedtowardsthePEP

inordertoopenaonnetionfromtheIDStoadediated

Produer thread in the PEP for eah IDS. TheProduer

thread is responsible for opyingIDMEF messages to all

input queues of authorised anonymisers/proxies. Eah

Anonymiser/proxythreadwillthenreadIDMEFmessages

andanonymisethemaordingtotheXACMLpoliy.

Poliydeisionsareahedinthedeisionaheto

im-provethe overall eieny, so that ahed deisionsthat

have not timed out will be reused to save the overhead

on XACML requests. Dierent authorised sessions an

thenhavedierentanonymisationpoliiesbasedon

(3)

i

XACMLpoliy number.

j

Deisionnumber.

k

sopeparameternumberforXACMLidentiers.

a

i,j

TheXACMLauthorisationdeisionnumber

j

byresourepoliynumber

i

.

b

i,j

Theblokmarkerorpatternusedto anonymisethedata (optional).

d

i,j

Deisionnumber

j

performedbytheXACMLresourepoliynumber

i

.

K

i,j

Unique ditionarykeyfordeision

j

andpoliy

i

.

l

i,j

Lasttimethisdeisionaheentrywasused.

p

i,j

Anonymisationpoliyto performontheontentof

r

i

fordeision

j

.

R

All resoureXPathexpressionsforXMLelements/attributesthatneedauthorisation.

r

i

Resourenumber

i

thatneedsauthorisation.

s

i,k

XPathsopeexpressionthatextratsrequiredparametervaluesforthetheXACMLpoliy

i

.

t

i,j

Theabsolutetime(UTC)whentheahedauthorisationdeisiontimesout.

v

i,j,k

Parametervaluesidentied by

s

i,k

that arerequiredbytheXACMLpoliy

i

inordertoperform deisionnumberj.

Table1: Listofnotations

Parameter DeisionaheXACMLAttributeId

b

i,j

b

i,j

isstoredin anAttributeAssignment withIDurn:prile:org:resoure:

i

:poliy:

f unction

r

i

urn:prile:org:resoure:

i

:id

p

i

:poliy:

f unction

where

f unction

=

[replae-with|pad-with|...℄

s

i,k

i

:assertion:

k

:sope

∆

t

i

:ahe-timeout(PEP alulates

t

i

fromtheurrenttimeplus

∆

t

i

)

v

i,j,k

i

:assertion:

k

:valuefordeision

j

Table2: MappingofXACMLresponseparameters.

servie,that handlesthebulkofthealerts,operateswith

anonymiseddata;andaseondlineservie,that operates

in-house, an have aess to the full alerts. This limits

the amountof sensitiveinformation that is visibleto the

outsouredrst-lineservie.

4. TehnialSolution

This setion performs a more formal analysis of the

tehnial solution. Figure 3 shows an example IDMEF

report that mathes the XPath expressions used in the

asestudy andTables1and 2showtheformalnotations

used. The proposedsolutionuses theinitialXACML

au-thorisation request from the data onsumerto returnan

obligationwithalistof

n

≥

0

XPathexpressions identify-ingXMLresoures

R

=

{

r

1

, r

2

, ..., r

n}

thatrequirefurther authorisation. ThisisshowninFigure4. Thegureshows

asuessfulXACMLResponsethatpermitsaesstothe

PEP, but with aahe speiation sent as an XACML

obligation to authorise any XML elements referened by

theXPathexpression

/Alert/AdditionalData[meaning='payload'℄

with a requirement to also request the element referred

to by the XPath expression /Alert/Classiation/ident

fromtheXMLdoument,andsendtherequestedvalueas

aresoureattributeintheXACMLrequest. ThePDPan

based onthis information perform adeisionon whether

!

Figure2: XACML-based IDMEFanonymiser/proxy with deision

ahe.

the payload for a given type of IDS alert is onsidered

privayviolatingornot.

The other resourerequires authorisation of allXML

elementsbelowtheXPathexpression

/Alert/Soure/Node/*. The ahe speiation also

re-quiresthat/Alert/Soure/Node/Address/addressisretrieved

fromtheXML doumentand passedto theXACML

pol-iyforevaluation. Later,thisvalueisalsousedaspartof

theahekeyforagivendoument.

TheXACMLobligationsservieintheanonymiser/proxy

(4)

element is identied. TheXACML response ontainsan

aess ontrol deisionfrom thePDPthat will be ahed

foraretentiontimeperiodasdenedintheobligationsof

theaessontrol deision.

Cahing aess ontrol deisions require some

knowl-edgeabouttheauthorisationpoliybeingused,sine

hek-ing for a ahe hit requires that all relevant parameter

values that the aess ontrol deision is basedupon are

known. Theseparametervaluesaretogetherwith the

re-soureidusedaskeyswhenhekingwhetheraaheentry

mathestherelevantsetofparametersin theXML

dou-mentbeingheked.

The deision proess for XACML authorisation and

anonymisationanbeonsideredasamappingfroma

re-soure and a set of parameter values that are required

by agiven XACML resourepoliy and to adeision. If

this deisionispositive,thenthedeisionmayhave

addi-tionalobligations,likeanobligationtoanonymisedataor

an obligation that expresses authorisation timeout. The

parametersrequiredbythesystemin ordertomakea

de-ision aredenedmoreformallybelow:

•

r

i

identiesthesetof oneormoreXMLresoure(s) to beauthorised by theXACML resoure poliy

i

, expressed as an XPath expression on the urrent

XMLdoument,forexample:

r

1

=

/Alert/AdditionalData[meaning='payload'℄

r

2

=/Alert/Soure/Node/* (appliesto any elements belownode);

•

s

i,k

are the XPath expressions used to extrat re-quiredparametersforthetheXACMLpoliy

i

and parameternumber

k

.

•

v

i,j,k

are the parameter values extrated from the XML doument by applying the XPath searh

ex-pression

s

i,k

. These parameter values are required by the XACML poliy

i

in order to evaluate dei-sion number

j

. Sent as XACML resoure ontext parameternumber

k

.

Thedeisionrelated parametersareexplainedbelow:

•

a

i,j

istheXACMLauthorisation,whihanbeeither Permit orDeny.

•

b

i,j

istheblokmarkerorpatternusedtoanonymise thedata. Thisparameterisoptional,andthedefault

blokmarkerisanemptystringifitisnotspeied.

•

p

i,j

speies the anonymisation poliy to perform on the ontent mathing resoure

r

i

for deision

j

, whihanbeoneofasetof

P

predened anonymisa-tionpoliies,forexampletoanonymisebyremoving

orreplaingontent,anonymisebypaddingontent

using ablokmarkerinsteadof theontent(leaves

the lengthof ontentintat), modify ontent using

regular expression or perform a pseudonymisation

tionofIP addressesoruseanenryption poliy.

•

t

i,j

istheabsolutetime(UTC) whenthe authorisa-tiondeisiontimesout. Dierenttimeoutvaluesmay

beappliablefordierentauthorisations. Itisfor

ex-amplenaturalthatauthorisationsthatarebasedon

dynamivariablesmayneedarelativelyshort

time-out period. On theother hand, deisionsbased on

stati parameters, like IP addressranges, may not

needanytimeoutvalue,sothetimeoutvalueanbe

set verylarge or even innite. It is then suient

tohaveanotiationserviethataninvalidatethe

poliy ahe in ase the PDP reloads a newpoliy

from thePAP.After

t

i,j

times out,thentheahed deision will be disarded the next time the ahe

entryisused,andanewXACMLauthorisationwill

beperformed;

•

l

i,j

showsthelasttimethisdeisionaheentrywas used. (UsefulfordebuggingandoptimisingtheLeast

ReentlyUsedahe.)

With these denitions adeision,denoted by

d

i,j

, is rep-resentedasatuple

d

i,j

= (

a

i,j

, t

i,j

, l

i,j

, p

i,j

, b

i,j)

whih re-etsthe

j

th

deisionperformedbytheXACMLresoure

poliynumber

i

. Thedeisionahe isimplementedasa ditionarywherethekey

K

i,j

onsistsoftheresoure pol-iynumberandall

n

valuesonatenatedi.e.

i

||

v

i,j,

1

||

v

i,j,

2

||

...

||

v

i,j,n

, sothat theditionary indexed on thekeyreturnsthe ahed aess deision. Theresoure

poliynumber

i

needstobepartofthekeyto avoid am-biguities between the values, for example that soure IP

addressanddestinationIP addressarebeingonfusedfor

dierentresourepoliies.

5. XACML Poliy Example

Thissetionprovidesanexampleofhowtheenvisaged

IDSXACMLproleanbeused. Itdoesnotfousonthe

authentiation part,whihis expeted to beverysimilar

toexistingfederatedaessontrolsolutionsusingSAML

toonveyXACMLrequests[7℄. Weassumein the

follow-ingsetionsthattheXMLshemanamespae

(http://www.w3.org/2001/XMLSh ema#) is denoted by

&xs;.

Inthisexample,aompanyonsidersinformationabout

hostsresidingonthenetwork10.0.2.0/24assensitive. The

ompany doesnot wantto reveal IP addresses lear-text

in theIDS alerts. Furthermore,thepayloadisonsidered

sensitivefor ertainlassesof IDS alerts,asindiated by

theident attributeoftheClassiation elementinthe

ID-MEF report. IDMEF alerts from IDSs on this network

anforexamplelooklikethesimpliedIDMEFexerptin

(5)

1 <IDMEF-Message>

2 <Alert messageid="018e3-1b2e-11e0-99b2">

3 <Soure spoofed="unknown"

4 interfae="wlan0">

5 <Node ategory="unknown">

6 <Address ategory="ipv4-addr">

7 <address>10.0.2.2</address>

8 </Address>

9 </Node>

10 </Soure>

11 <Classifiation ident="1:5976"

12 text="SNMP AgentX/tp request">

13 </Classifiation>

14 <AdditionalData type="byte-string"

15 meaning="payload">

16 REhDUEM=

17 </AdditionalData>

18 </Alert>

19 </IDMEF-Message>

Figure 3: Simplied exerpt of IDMEF message usedin the ase

study.

5.1. InitialAuthorisation

The initial XACML request is an ordinary XACML

authorisationrequesttogetreadaesstothe

Anonymis-er/proxyin thePEP, similar to theone desribed in [8℄,

and is notshown in this artilefor spae reasons.

How-ever,theXACMLresponseisshown,toillustratehowthe

PEP is being made aware of the ahe parameter

spei-ation neessarymanage the deisionahe in the form

of XACML obligations. Themapping betweenthe

nota-tion used in thisartile andXACML identiersis shown

in Table2.

The initial authorisationshown in Figure 4returns a

set of XML resoureidentiers

r

i

that onsists ofXPath expressions thatoverauthorisationofoneormoreXML

elements in the doument. Eah XACML response also

ontains

k

XPath expressions

s

i,k

, that uniquely dene theparametersrequiredbytheXACML poliy to

autho-rise the resouresdened by

r

i

and that will be sent in subsequentXACMLresoureauthorisationrequestsas

re-soureattributes.

SineanXPathexpressionmayreturnmorethan one

element,itisthenuptotheXACMLpoliy todenethe

attributes so that theaheis keptonsistent. The

sim-plest way to dothis, is to require that

s

i,k

is dened to returnonly asingleelement from theXML doument

in-stanebeingauthorised. IfanassertionXPathexpression

returns morethanoneelement,and theirresult is

dier-ent, then the evaluation of the poliy would also

poten-tiallybeinonsistent. Oneelementmaylaimaess and

theother maynot. Ifitisneessarytodoonit

resolu-tion,thenallindividualassertionelementsmustbepassed

in to the XACML poliy, whih denes how the onit

resolutionshouldbedone. AllXPathexpressionsfromthe

initial authorisation arepreompiled and storedin atwo

dimensional list indexed byresourenumber

i

and sope expression

k

.

5.2. XMLElement AuthorisationRequest

After theinitialauthorisation,the XMLparserof the

Anonymiser/proxyinthePEPwillgetXMLmessages

(ID-MEF alerts)from thequeueandstartparsingthem. The

PEP then iterates through all XPathmathes for all

re-soures in

R

. If there is no authorisationahed for the XMLresoureelements

r

i

refersto,thenthePEPwill per-formXACMLauthorisationrequestsforallnon-authorised

resoures,askingforreadaesstotheresoureelements.

An exampleauthorisationrequestforan XMLelementis

shown in Figure 5. The request authorises the subjet

so1outsoured.example.om foraesstotheresoure:

r

1

=

/Alert/AdditionalData[meaning='payload'℄.

In addition, the XACML request ontains additional

resoure ontext parameters representing the set of

ne-essary parameters

s

i,k

that are required to evaluate the given seuritypoliy by thePDP. Here,the rstelement

of the tuple

s

i,

1

=

/Alert/Classiation/ident refers to theIDMEFAlertlassiationoftheXMLmessagebeing

authorised and

v

i,

1

= 1 : 5976

refers to the unique iden-tiation of the alert lass in the XML doument being

inspeted(See Figure3). Thenextsetiondesribeshow

thedeisionaheworks foraahemiss. Aahehit,is

subsequentlydesribedinSetion5.4.

5.3. XMLElement AuthorisationResponse

An aeptedXACMLresponseisillustratedinFigure

6. The obligations in XACML responses are mapped as

shownin Table2.

ThePEPwillthenolletalldeisionparameters

d

i,j

=

(

a

i,j

, t

i,j

, l

i,j

, p

i,j

, b

i,j)

. All of these exept

l

i,j

and

t

i,j

arefethedfrom theobligationsintheXACMLresponse.

Then

l

i,j

is set to the urrent time and

t

i,j

is set to the timeoutvalue

∆

t

i,j

in theXACMLresponseplusthe ur-rent time. Subsequently, the anonymisation poliy

p

i,j

from theobligations in theXACML response will be

ap-plied to the ontent of all resoures mathing

r

i

. This anforexamplebeto anonymisetheontentbypadding

it with the blok marker X if

p

i,j

=

pad

−

with

and

b

i,j

=”

X

”

. Theanonymisationpoliywill thenbeahed intheditionaryusingtheresourenumberandparameter

valuesonatenatedaskey,i.e.

K

i,j

=

i

||

v

i,j,

1

||

v

i,j,

2

||

...

||

v

i,j,n

. If an authorisation request is denied, then the XML

messagewill bedisarded,sineitisnotauthorisedtobe

senttotheresoureonsumer.

A Deny authorisation deision an be ahed in the

samewayasaPermit deision,howeverthisrequiresthat

theXACMLresponseinludesanobligationwiththe

ne-essaryparametersfortheaheentry,asshowninTable1.

Theanonymisationpoliy

p

i,j

anbeomittedinthisase, sine a Deny deision implies that the XML message is

dropped. This sequeneisnotillustrated,sineit willbe

(6)

2 <Result ResoureID="PEP">

3 <Deision>Permit</Deision>

4 <Status>

5 <StatusCode Value="urn:oasis:names:t:xaml:1.0:status:ok"/>

6 </Status>

7 <Obligations>

8 <Obligation ObligationId="urn:prile:org:authorize-elements" FulfillOn="Permit">

9 <AttributeAssignment AttributeId="urn:prile:org:resoure:1:id"

10 DataType="&xs;string">/Alert/AdditionalData[meaning='payload'℄

11 </AttributeAssignment>

12 <AttributeAssignment AttributeId="urn:prile:org:resoure:1:assertion:1:sope"

13 DataType="&xs;string">/Alert/Classifiation/ident

15 <AttributeAssignment AttributeId="urn:prile:org:resoure:2:id"

16 DataType="&xs;string">/Alert/Soure/Node/*

18 <AttributeAssignment AttributeId="urn:prile:org:resoure:2:assertion:1:sope"

19 DataType="&xs;string">/Alert/Soure/Node/Address/address

21 </Obligation>

22 </Obligations>

23 </Result>

24 </Response>

Figure4:XACMLreplytoinitialauthorisationoftheIDS-PEP.

from Permit to Deny, and there will typially only be a

ahetimeoutvalueasparameter.

5.4. XMLElementAuthorisation for Cahe Hit

Cheking forahe hits is performed for all resoures

mathing the pattern

r

i

after the neessarysopevalues

v

i,k

havebeenextratedfromtheXMLdoument. Aahe hit means that there exists a ahed deision

d

i,j

for a key

K

i,j

in the deision ahe. If the ahe has timed out,thenentry

d

i,j

isdeleted,andafullXACMLresoure authentiationisperformed.

Finally, theanonymisationpoliy

p

i,j

is enforedand theanonymisedXML doumentis sentto theauthorised

data onsumer.

6. Eieny of the Proposed Solution

TheXACMLdeisionaheisimplementedin Jython

runningonSunJava6. TheJythoninterpretergivesa

per-formane overhead, soanativeJavaimplementation an

be expeted to be somewhat faster, however testing this

is left to future work. The implementation uses

Ximple-Ware's JavabasedVirtualTokenDesriptorXML parser

(VTD-XML) 2

whih has a small memory footprint

om-paredtotraditionalDOMimplementations(1.3-1.5times

the size of the XML doument) and has also got avery

fastXPath1.0implementation.

2

VTD-XMLanbefoundathttp://vtd-xml.soureforge.net

Theexperimentsare performedusing Jython2.2.1on

a64bitmahinerunningUbuntuwith8Gbramand2.53

GHzIntelCore2DuoCPU. Thedeisionahewas

lim-itedto3000entries,usingaLeastReentlyUsedpoliyfor

pruningtheahewhenitrunsfull. Theahewastested

with between one and thirty relatively simple

anonymi-sation poliies that performed simple regular expression

mathforanyontent.

The LRU lass was implemented in Jython based on

theLinkedHashMap Javalassbyoverridingthe

removeEldestEntry()method. LRUfuntionalitywasthen

ahieved by rst retrieving and removing the referened

ahedentryandthenreinsertingitatthetailofthelinked

hash struture. Theoldest entrywasthen automatially

removedfrom the head of the data struture by

Linked-HashMap whentheaheapaitywasexeeded.

The experiment onsisted of rst identifying a set of

resoures with orresponding sope values that needs to

be ahed. 30 resoures were seleted that it would be

reasonable to onsider anonymising or that it would be

reasonableto onsider using as asope variable for that

resoure. With the exeption of payload,whih uses the

IDSrulelassiationassope(asdisussedinthispaper),

therestofthesimplerulestestedthesameparameterthey

anonymised, amongst others: soure IP address,

destina-tionIPaddress,soureport, destinationport et. We

at-tempted to stress the ahe by inluding sope variables

that referredto the TCP sequene and aknowledgment

numbers.

(7)

2 <Request xmlns="urn:oasis:names:t:xaml:1.0:ontext:shema:os"

3 xmlns:xsi="http://www.w3.org/2001/XMLShema-instane"

4 xsi:shemaLoation="urn:oasis:names:t:xaml:1.0:ontext:shema:os

5 http://dos.oasis-open.org/xaml/aess_ontrol-xaml-1.0-ontext-shema-os.xsd">

6 <Subjet>

7 <Attribute AttributeId="urn:oasis:names:t:xaml:1.0:subjet:subjet-id"

8 DataType="urn:oasis:names:t:xaml:1.0:data-type:rf822Name">

9 <AttributeValue>so1outsoured.example.om</AttributeValue>

10 </Attribute>

11 </Subjet>

12 <Resoure>

13 <Attribute AttributeId="urn:oasis:names:t:xaml:1.0:resoure:resoure-id"

14 DataType="&xs;string">

15 <AttributeValue>urn:prile:org:resoure:1:id</AttributeValue>

16 </Attribute>

17 <Attribute AttributeId="urn:prile:org:resoure:1:assertion:1:sope"

19 <AttributeValue>/alert/lassifiation</AttributeValue>

20 </Attribute>

21 <Attribute AttributeId="urn:prile:org:resoure:1:assertion:1:value"

23 <AttributeValue>1:5976</AttributeValue>

24 </Attribute>

25 </Resoure>

26 <Ation>

27 <Attribute AttributeId="urn:oasis:names:t:xaml:1.0:ation:ation-id"

29 <AttributeValue>read</AttributeValue>

30 </Attribute>

31 </Ation>

32 </Request>

Figure5:XACMLrequestforXMLelementauthorisation.

1 <Response>

2 <Result ResoureID="urn:prile:org:resoure:1:id">

3 <Deision>Permit</Deision>

4 <Status>

5 <StatusCode Value="urn:oasis:names:t:xaml:1.0:status:ok"/>

6 </Status>

7 <Obligations>

8 <Obligation ObligationId="urn:prile:org:element-restritions" FulfillOn="Permit">

9 <AttributeAssignment AttributeId="urn:prile:org:resoure:1:ahe-timeout"

10 DataType="http://www.w3.org/TR/2002/WD-xquery-operators-20020816#dayTimeDuration">P1D

12 <AttributeAssignment AttributeId="urn:prile:org:resoure:10:poliy:pad-with"

13 DataType="&xs;string">X</AttributeAssignment>

14 </Obligation>

15 </Obligations>

16 </Result>

17 </Response>

(8)

0

5

10

15

20

25

30

Number of anonymisation policies

0

5

10

15

20

Time used (ms)

Average response time

Cached

Uncached

Figure7: Averageresponsetimeofdeisionaheas afuntion of

numberofanonymisationpoliies.

worstaseperformaneofthedeisionaheomparedto

notahingdeisions.

A simple XACML poliy generator wasthen used to

performarandomseletionof

n

outofthese30resoures, and thentestthedeisionaheon5000alertsgenerated

by Snort 2.8 using the standard VRT rule set. Tra

wasgenerated byreplayingthe1999KDD up dataset 3

.

A problem with this data set, is that it does notgive a

representativepitureofthediversityofattakvetors

to-dayandalsonotthediversityofdataseenbyalargeMSS

provider. Theahehitrate(97%for30enabledruleswith

3000 aheentries in theLRU ahe)is therefore

proba-blyunrealistiallyhighomparedtowhatanbeexpeted

withrealdata. Theexperimentsstillgivearepresentative

pitureoftheaheperformane,giventhattheahehit

rateishigh.

Eah result presented in Figure 7 is the average of

20 experiments,eahanonymising5000alerts foragiven

numberofresoures

n

. Theexperimentwasthenrepeated for

n

= (1

,

2

, ...,

30)

. Usinganensembleof20experiments limitstheeet ofrandomseletionofruleswith varying

ahe hit rates. This makes it possibleto better see the

underlying trends. OnlyIDMEF Alertmessageswassent

totheahe. Heartbeatmessageswasnotproessed,sine

theyarenotrelevantfortheanonymisationpoliy.

Figure 7showstheaverageresponse time ofthe

dei-sionaheasafuntionofnumberofanonymisation

poli-ies (i.e. number of XML elements being anonymised).

There seemstobealinearrelationshipbetweenthe

num-ber of anonymisation poliies and the time used, as an

be expeted. Also, the relative aheeieny (fration

ofunahedtoahedtimeused)inreaseswithinreasing

number ofanonymisationpoliies, from a speedup fator

of 2.6-3.0for less than5 poliies to around3.5 for 25-30

poliies. This shows that the ahed solution both

per-3

KDD Cup 1999 data (DARPA IDS test set)

http://kdd.is.ui.edu/databases/kddup99/k ddu p99.ht ml

forms better in terms of eieny and sales somewhat

betterthanthenon-ahedsolutionwithinreasing

num-berofanonymisationpoliies. Thespeedup fatoranbe

expetedtobeevenlargerformoreomplexXACML

poli-ies,aslongastheahehit rateiskeptsuientlyhigh.

30anonymisationpoliiesisprobablysuientforthe

IDMEFusease. MostoftheremainingIDMEFelements

andattributeswereeitheronstantorvariedbetweenafew

values,whihmeanstheywouldtintotheahewithout

ausing any signiantadditional loadonthe ahe. For

30anonymisationrules,thedeisionahewillbeableto

proess up to 185 IDS alerts/s(vs max 52 IDS alerts/s

forthenon-ahedsolution). Ifthisisnotsuient,then

thearhitetureaneasilybeparallellised,forexampleby

addingindividual anonymising PEPsfor eah IDSsensor

orevensplittingtra fromsingleIDSsensors.

Memory usage is not a problem for the given

experi-mentsinetheahehadahitrateof97%withonly3000

ahe entries. The JVMheapsize went down to130Mb

between eah garbage olletion, and memory inreased

slowly after garbage olletion, whih is another

india-tionthat memoryusage wasnotproblemati whenusing

theVTD-XMLparser 4

. However,morerealistidata(for

examplefrom aMSS provider)are needed to verify that

memoryusageisnotaproblem.

Thedeisionaheisinotherwordsusefulfor

inreas-ing both theperformane and salabilityof XACML

au-thorisations. This meansthat itshould beviableto

per-formne-grainedaessontrolofXML elementsand

at-tributesinIDMEFalertsfromIDSbyusingan

anonymis-ingdeisionahe.

7. Related Work

ThispaperextendsthesimpleXACMLpoliyfor

anonymi-sation proposed in [8℄. Thepreviouspaperpresentedthe

idea of anonymisation based on an XACML obligations

servie for ourse-grainedaess ontrol of IDMEF

mes-sages. This paper extends the solution to provide

ne-grained aess ontrol of XML messages in generalwith

deisionahingsupport andsupportforseveraldierent

anonymisationpoliies.

There isasfarasweareawareofno othersimilar

so-lutions. However, some other systems over part of the

same funtionality. A solution for ontrolling aess to

XMLdoumentsisproposedin[9℄. However,thissolution

isnotbasedonXACMLanditdoesnotsupport

anonymi-sationpoliies. An XACML-basedprivay-entredaess

ontrolsystemisproposed in[2,10℄. Thissystemfouses

on redential management to provide users with ontrol

overtheirdata. Oursolutionisdierent,sineitproposes

anXACMLahingsolutionwithne-grainedaess

on-trolandanonymisationofdata.

4

ThispiturewashoweverdierentforJavasstandardDOM

(9)

ofdeisionmakingproesseswhendealingwithstable

on-ditionsisexplainedin[11℄. Thissolutionaimsatreduing

thetimethatthePoliyInformationPoint(PIP)usesfor

aessing remote servieslike SNMP agents andalso the

deision making time. Our solution is dierent, sine it

aims at performing aess ontrol of individual elements

and attributesin XML doumentsusing adeisionahe

basedsolution.

The BRO IDS [12℄ supports a way to anonymise the

payload of a paket instead of removing the entire

pay-load[13,12℄. Therealsoexistssomeearlierworkon

privay-enhanedhost-basedIDSsystemsthatpseudonymises

au-ditdataandperformsanalysisonthepseudonymisedaudit

reords[14,15,16,17,18℄. Howeverneitherofthese

solu-tionsarebasedonXACMLorprovidenativeauthorisation

andanonymisationofXMLdoumentinstanes.

8. Conlusions and FutureWork

The paper proposes a viable solutionfor ne-grained

XACMLauthorisationandanonymisationofelementsand

attributes in XML douments. This allows for entral

management of authorisationand anonymisationpoliies

forXMLdoumentsinsteadofusingahybridsolutionwith

severaldierentaessontrolsolutionsorlanguages.

Thedeisionahingprotoolaneasilybeadaptedto

other authorisationshemesbyhoosingadierentahe

keygenerationshemethatreetstheauthorisation

se-nario. Cahinganthenbeenabledbyaddingthetimeout

parameterasanobligationinordertomanagetheahed

deisions. Thisopensupapossibilityto signiantly

im-provetheeienyandsalabilityofotherXACMLbased

authorisationshemes.

A potential ritique of the proposed solution, is that

ne-grainedaessontroldeisionsaredelegatedfromthe

PDP to the PEP viaXACML obligations. This violates

thelearinterfaebetweenpoliyauthorisationandpoliy

enforement.

Futureworkinvolvesadding morefuntionalityandif

neessarymovingtimeritialpartstoJava. Itwouldalso

beinterestingtosupporttheMultipleResouresProleof

XACML in order to proess several resoures

simultane-ously by XACML. Last but not least, the anonymising

deisionaheshould betestedunder realistionditions

at aMSSprovider.

Aknowledgments

This work is funded in part by Telenor Researh &

InnovationundertheontratDR-2009-1.

Bibliography

[1℄ T. Moses (ed), OASIS eXtensible Aess

Con-trol Markup Language (XACML) Version 2.0,

http://dos.oasisopen.or g/xa ml /2.0 /a ess _on trol

-xaml-2.0-ore-spe-os.pd f(2005).

P.Samarati,AnXACML-basedprivay-enteredaessontrol

system,in: ProeedingsoftherstACMworkshopon

Informa-tionseuritygovernane,ACM,Chiago, Illinois, USA,2009,

pp.4958.

[3℄ C.Powers,M.Shunter (ed),Enterpriseprivayauthorization

language(epal1.2),http://www.zurih.ibm. om/ seu rity /

enterprise-privay/epal /Spe if iat ion/ ind ex.h tml(2003).

[4℄ M. Marhiori (ed), The platform for privay preferenes 1.0

speiation,http://www.w3.org/TR/P3P (2002).

[5℄ A.H.Anderson,Aomparisonoftwoprivaypoliylanguages,

in: Proeedingsofthe3rd ACMworkshopon Seureweb

ser-vies-SWS'06,Alexandria,Virginia,USA,2006,p.53.

[6℄ A. X. Liu, F.Chen, J. Hwang, T. Xie, T.: XEngine: a fast

and salableXACMLpoliyevaluationengine,Confereneon

MeasurementandModelingofComputerSystems.

[7℄ P.Periorellis,SeuringWebServies,IdiGlobal,2007.

[8℄ N. Ulltveit-Moe, V. Oleshhuk, Two tiered privay enhaned

intrusiondetetionsystemarhiteture,in: 2009IEEE

Interna-tionalWorkshoponIntelligentDataAquisitionandAdvaned

Computing Systems: Tehnology and Appliations, Rende,

Italy,2009,pp.814.

[9℄ E.Damiani,P.Samarati,S.DeCapitanidiVimerati,S.

Para-boshi, Controlling aess to xml douments, IEEE Internet

Computing5(2001)1828.

[10℄ C.Ardagna,M.Cremonini,S.D.C.diVimerati,P.Samarati,

A privay-aware aess ontrol system, Journalof Computer

Seurity16(4)(2008)369397.

[11℄ R.Laborde,T.Desprats,Anextensionofxamltoimprovethe

performane of deision makingproesses when dealing with

stable onditions, in: L. Boursas, M. Carlson, W. Hommel,

M. Sibilla, K.Wold (Eds.),Systems and Virtualization

Man-agement.StandardsandNewTehnologies,Vol.18of

Commu-niationsinComputerandInformationSiene,SpringerBerlin

Heidelberg,2008,pp.1324.

[12℄ Lawrene Berkeley National Laboratory, Bro intrusion

dete-tionsystem,http://bro-ids.org.

[13℄ R.Pang,V.Paxson,Ahigh-levelprogrammingenvironmentfor

paket trae anonymizationand transformation, in:

Proeed-ingsofthe2003onfereneonAppliations,tehnologies,

arhi-tetures, and protools for omputer ommuniations, ACM,

Karlsruhe,Germany,2003,pp.339351.

[14℄ T.Holz,Aneientdistributedintrusiondetetionsheme,in:

COMPSACWorkshops,2004,pp.3940.

[15℄ M.Sobirey,S.Fisher-Hübner,K.Rannenberg,Pseudonymous

auditforprivayenhanedintrusiondetetion,in:Proeedings

oftheIFIPTC1113thInternationalConfereneonInformation

Seurity(SEC'97),1997,pp.151163.

[16℄ S.Fisher-Hübner,IDA-AnIntrusionDetetionandAvoidane

System(inGerman),Aahen,Shaker,2007.

[17℄ M.Sobirey,B.Rihter,H.König,Theintrusiondetetion

sys-temAID-arhitetureandexperienesinautomatedautidtrail

analysis,in: ProeedingsoftheIFIPTC6/TC11International

ConfereneonCommuniationsandMultimediaSeurity,1996,

pp.278290.

[18℄ R.Büshkes,D. Kesdogan,Privayenhaned intrusion

dete-tion, in: G.Müller,K.Rannenberg(Eds.),Multilateral

Seu-rityinCommuniations,InformationSeurity,AddisonWesley,