A DAG-Based Security Policy Conflicts Detection Method

Policies are increasingly used in the field of security management. Security policies confliction is one of the most difficult problems in this field. The shortcoming of previous methods on security policies confliction detection is analyzed. Security policies are considered a kind of relation between subject and object about authority or obligation. Subjects and objects are elements in a distributed system. In researching relations among the elements in the distributed system, a conception of “field” is provided. The relations of fields can express the relations among the elements in the distributed system. A directed acycline graph model is given in order to precisely describe the relations of fields. A quantity method based on the model to detect security policy conflicts is then presented. A number of cases on security policy confliction are studied to prove the method correctness and availability. Finally, the algorithmic complexity is analyzed, which is in direct proportion to the number or square number of vertexes in the directed acycline graph. Data from experiments is also provided to support the conclusion. The way on security policy conflicts detection is extended and security policy practicability is provided.