Queuing Theoretic Analysis of Dynamic Attribute-Based Access Control Systems.

Access resolution in Attribute-based Access Control (ABAC) is primarily through the enforcement of an ABAC policy. However, incremental user-specific authorizations are also often added to supplement the attribute-based accesses. As this auxiliary list of authorizations grows, enforcement becomes increasingly more inefficient, since both the ABAC policy and the specific authorizations are to be evaluated. Regenerating the ABAC policy from the auxiliary list, on the other hand, requires re-running the computationally expensive policy mining algorithms. Further, access mediation has to be put on hold while policy rebuilding is done, resulting in periods of unavailability of the system. In this paper, we look into the problem of balancing access request resolution, accommodating dynamic authorization updates, and ABAC policy rebuilding. We employ a queuing theoretic approach where the access mediation process is modeled as an M/G/1 queue with vacation. The server is primarily involved in resolving access requests, but occasionally goes on vacation to rebuild the ABAC policy. We study the effects of several parameters like request arrival rate, access resolution time, vacation duration and interval between vacations. Our extensive experiments provide a direction towards efficient implementation of ABAC.