TY - GEN
T1 - Application domain independent policy conflict analysis using information models
AU - Davy, Steven
AU - Jennings, Brendan
AU - Strassner, John
PY - 2008
Y1 - 2008
N2 - A key part of the policy authoring process is analysis of the potential for newly created or modified policies to conflict with already deployed policies. We propose an approach for policy conflict analysis in which candidate policies (either newly created or modified) are analyzed on a pair-wise basis with already deployed policies, with potential conflicts between the policies being notified to the policy author. Central to the approach is a two-phase algorithm which, querying an information model, firstly determines the relationships between the pair of policies and, secondly, applies an application-specific conflict pattern to determine if the policies should be flagged as potentially conflicting. The algorithm is generic in the sense that all application specific information is encoded in the information model; as long as a minimal set of assumptions regarding the policy model are adhered to it can be applied in arbitrary application domains. In the paper we present the two phase algorithm and describe an implementation in which it is used to detect potential conflicts for both access control and filtering (firewall) policies.
AB - A key part of the policy authoring process is analysis of the potential for newly created or modified policies to conflict with already deployed policies. We propose an approach for policy conflict analysis in which candidate policies (either newly created or modified) are analyzed on a pair-wise basis with already deployed policies, with potential conflicts between the policies being notified to the policy author. Central to the approach is a two-phase algorithm which, querying an information model, firstly determines the relationships between the pair of policies and, secondly, applies an application-specific conflict pattern to determine if the policies should be flagged as potentially conflicting. The algorithm is generic in the sense that all application specific information is encoded in the information model; as long as a minimal set of assumptions regarding the policy model are adhered to it can be applied in arbitrary application domains. In the paper we present the two phase algorithm and describe an implementation in which it is used to detect potential conflicts for both access control and filtering (firewall) policies.
KW - Conflict detection
KW - Information model
KW - Policy based management
UR - http://www.scopus.com/inward/record.url?scp=51849134182&partnerID=8YFLogxK
U2 - 10.1109/NOMS.2008.4575112
DO - 10.1109/NOMS.2008.4575112
M3 - Conference contribution
AN - SCOPUS:51849134182
SN - 9781424420667
T3 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services
SP - 17
EP - 24
BT - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium
T2 - NOMS 2008 - IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services
Y2 - 7 April 2008 through 11 April 2008
ER -