A Similarity Measure for Comparing Access Control Policies

Recent collaborative applications and enterprises very often need to efficiently integrate their access control policies. An important step in policy integration is to analyze the similarity of policies. Existing approaches to policy similarity analysis are mainly based on logical reasoning and Boolean function comparison. Such approaches are computationally expensive and do not scale well for large heterogeneous distributed environments (like Grid computing systems). In this paper, we propose a policy similarity measure as a filter phase for policy similarity analysis. This measure provides a lightweight approach to pre-compile a large amount of policies and only return the most similar policies for further evaluation. In this paper we formally define the measure by taking into account both the case of categorical attributes and numeric attributes. We solve the problem of name heterogeneity when comparing policies by using ontology matching techniques. Detailed algorithms are presented for the similarly computation. We also present experimental results which demonstrate the efficiency and practical value of our approach.