Visualization Analysis of Multi-Domain Access Control Policy Integration Based on Tree-Maps and Semantic Substrates

The complexity of multi-domain access control policy integration makes it difficult to understand and manage the policy conflict information. The policy information visualization technology can express the logical relation of the complex information intuitively which can effectively improve the management ability of the multi-domain policy integration. Based on the role-based access control model, this paper proposed two policy analyzing methods on the separated domain statistical information of multi-domain policy integration conflicts and the policy element levels of inter-domain and element mapping of cross-domain respectively. In addition, the corresponding visualization tool is developed. We use the tree-maps algorithm to statistically analyze quantity and type of the policy integration conflicts. On that basis, the semantic substrates algorithm is applied to concretely analyze the policy element levels of inter-domain and role and permission mapping of cross-domain. Experimental result shows tree-maps and semantic substrates can effectively analyze the conflicts of multi-domain policy integration and have a good application value.


Introduction
Along with the development of network technology, more and more network information services need to information exchange across trusted domains, such as collaborative computing, distributed storage, etc.The large set of the cross-domain access control policies makes the management a complicated task [1].The policy information visualization [2] technology can express the logical relation of the complex information intuitively which can effectively improve the management ability of the multidomain policy integration.
The characteristics of RBAC model, such as role hierarchy, least privilege and separate of duty, make it widely used in multi-domain environment.In the particular background of cross-domain information exchange, the administrators in different domains are different.When the administrator deletes, changes or adds something to the policy, conflicts may appear.The separated-domain statistical information can give the administrator a macrocognition and help him obtain qualitative results.But it's still tough to sort out the relations between amounts of element mappings.In order to troubleshoot and resolve conflicts, he needs to learn more information about the intra-domain hierarchy and inter-domain mapping of RBAC model.So separated-domain statistical informa-tion on the macro-level and intra-domain hierarchy and inter-domain mapping of RBAC model on the microlevel guarantee the correctness and effectiveness.
Scholars applied the information visualization methods to the research on visualization analysis of access control policies.Prathima Rao et al. [3] proposed the multi-level gird-based technique for visualizing results of policy analysis.Xu et al. [4] proposed both semantic substrates and adjacency matrix technique for the policy query and the violations presentation of SELinux security policy.Reeder et al. [5] proposed expandable Grids tool for displaying and authoring policies.Ghazinour et al. [6] proposed a visualization model for privacy policy and applied it on the Facebook analysis.Above-mentioned works are for particular application scenarios, such as similarity analysis, SELinux, policy author or privacy policy etc.And such works are not related to visualization analysis of multi-domain information.

Symbol Definition
Definition 1.We define domain set IIM the policy set P: , where P ij is the No.j policy in Domain G i , the rule set R: , where R ijk is the No.k rule of the policy P ij .Assume the administrator of G 0 is analyzing the conflicts between G 0 and other Domains in this paper.S is the number of policy conflicts, S(G i ) means the number of conflicts between Domain G 0 and G i , S(P ij ) means the number of conflicts between P ij and G 0 , S(R ijk ) means the number of conflicts between R ijk and G 0 .Definition 2. For representation for the user of G i , we use G i _U i .For the role of G i , we use G i _R i .For the permission of G i , we use G i _PR i .

Problem Analysis
In this paper, we define the visualization analysis problems aiming at the analysis of the RBAC model when cross-domain information exchange oriented.
The solutions of conflicts due to different reasons are different.The administrator needs to get the common information first, then the details of RBAC model.So the key is to solve the following two problems: 1) Obtain common information: the relation between different domains, the conflict type and quantity.
2) Obtain detail information: element hierarchy of intra-domain, the element mapping of inter-domain.

Tree Structure of the Statistical Information of Conflicts
If Domain G 0 has conflicts with G i , it will be found as G 0 conflicts with P ij etc. Actually if P ij contains several rules, the behavior will be the conflicts of G 0 with R ijk of P ij .The quantity will satisfy the following equations: It suites the typical three level tree structure, so can be expressed by tree structure.
For each tree, the root nodes represent G i , the childnodes of the 2nd level represent P ij , and the child-nodes of the 3rd level represent R ijk .A policy consists of one or more rules.If the policy has only one rule, the 2nd level node is the leaf node.If not, the leaf node is the 3rd level node.
The attributes are: 1) the size of the node is the number of conflicts; 2) different colors mean different conflict types.According to the Shafiq [7], we define red for moda-lity conflict, yellow for multiple management conflict, blue for cyclic inheritance conflict, green for SoD conflict.

The Relationship between Elements of RBAC
According to RBAC96 [8], we define RBAC types as follows: User, Role, Permission.
When the background is multi-domain information exchange, the relationships between those types are as follows: Intra-Domain: 1) User Assignment (UA): a many to many user-torole assignment relation.
2) Permission Assignment (PA): a many to many permission-to-role assignment relation.
3) Role Hierarchy (RH): the relationship between roles is hierarchy.
Inter-Domain: 4) Role Mapping (RM): the purpose is making the two roles from two different domains can access the other part.
5) Permission Equality (PE): the purpose is making the role mapping possible.

Tree-Maps
Tree-maps [9] algorithm is an approach in which each node is a rectangle whose area is proportional to some attribute such as node size.The traditional tree structure can express the hierarchical relation of tree structure exactly.But there are two shortages: firstly, with the growth of node number, it will overwhelm the whole screen.The user cannot get complete information; secondly, it cannot contain any other attributes, such as the size of the node, the importance of the node, etc.The rectangle-filling approach can solve these two problems.Figure 1 shows that the size of the rectangle represents the size of the node and it can also contain the other attributes.In this paper, the size of the rectangle shows the size of the conflict number; the different color shows the different conflict type; the text information of the rectangle is the specific conflict policy.The administrator can get the statistical information from the above attributes.Copyright © 2012 SciRes.

IIM
In tree-maps algorithm, the size of the node determines the size of the rectangle.The size of the root node is the sum of all the child nodes.For the 1st level child nodes, we do vertical partition according to the size proportion of each node; for the 2nd level child nodes, we do horizon partition; keep replacing the partition directions to the leaf node.
The implementation steps of tree-maps are as Figure 2.

Semantic Substrates
Semantic substrates [10] is a spatial template for a network, where nodes are grouped into regions and laid out within each region according to one or more node attributes.It's applicable to demonstrate the data structure which has following two features: 1) the data can be grouped according to their attributes and regions do not overlap; 2) the data of each region is the network relation, and the links between different regions have different semantics.It can solve two problems: 1) the cross of the multiple links; 2) the different semantics of the links between different regions.The complexities of analyzing the multi-domain policy based RBAC are: 1) the cross of the links due to the multiple inheritances and distribution mapping; 2) different semantics due to the five types of relations.So, semantic substrates can exactly resolve these two problems.Two steps to organize nodes: 1) nodes are grouped into rectangular regions according to the three types: user, role and permission; 2) nodes are placed in each region according to their domain, as Figure 3.
The round represents user, the rectangle represents role, and the triangle represents permission.
The arrows connecting the elements, according to their different colors and different directions, show different     Copyright © 2012 SciRes.

IIM
Example: 1) Intra-domain UA.In G 1 , the relation from user to role is UA, red one-way arrow.Figure 3(a) is the results of query "the user assignment of domain G 1 ".
2) Intra-domain PA.In G 1 , the relation from role to the permission is PA, green one-way arrow.Figure 3(b) is the result of query "the permission assignment of domain G 1 ".
3) Intra-domain RH.In G 1 , the relation between roles is RH, black one-way arrow.

The Visualization Implementation
We achieved the interactive visualization interface using eclipse standard 3.4.1 based on Java which assured users analyzing according to their own needs.

Tree-Maps
Figure 5 is the screenshot of the visualization analysis results, the application example is "the administrator of G 0 analyzing the conflict information with G 1 , G 2 , G 3 , G 4 ". Figure 5(a) is the query result of "the quantity of the conflicts with each domain".Figure 5(b) is the query result of "conflict type statistical information".
From Figure 5(a), just with one look he can get G 3 has most conflicts with G 0 .From the second time partition size, he knows there are 4 policies in G 3 having conflicts with G 0 , and he can also get the quantity information from the size of the rectangle.From the rectangle size of the third time partition, he sees the quantity of the conflicts with each rule of each policy.He can also get the text information by moving the mouse to the related area.e.g., in Figure 5(a), he can get the information "R 312 conflict with P 01 , P 04 " by moving the mouse to the R 312 area.
From Figure 5(b), he can obtain the information about conflict type by the different colors of the rectangle region and also get text information by the mouse.
At the same time, the administrators from G 1 , G 2 , G 3 and G 4 can get the information about conflicts with G 0 which makes it easier for them to discuss with administrator G 0 and solve the conflicts.

Semantic Substrates
After getting the quantity and the type of the conflicts  from macroscopic level, the administrator needs to check the detail information of element hierarchy when intradomain and the mapping when inter-domain.Based on Figure 5, Figure 6 is the visualization analysis result of application example: "The administrator wants to get the user assignment and permission assignment information of G 1 ".
He can click the relevant button to get the information.E.g., click the button "User to Role" and "Role to permission" button to achieve his aim.If he wants to cancel it, just click it again.
The user can get all the five types of information at one time by clicking all the buttons and can also just choose what they want.What's more, moving the mouse there, the user acquires the attribute.E.g. in Figure 6, he can move the mouse to the round of G 1 _U 1 area and gain the information.

Conclusion
In this paper we analyzed the complexity of the policy integration when facing the cross-domain information exchange and proposed two problems which can guarantee the administrator getting proper information intuitively.Two visualization algorithms, tree-maps and semantic substrates, are applied to resolve the two problems.Furthermore, we analyzed how to use them to analyze the information, and we implemented them through Java Graphics.The current future work includes: visualization analysis contains other access control model when dealing with the multi-domain information exchange.

Figure 3 (
c) is the result of query "the Role hierarchy of domain G 1 ".4) Inter-domain RM.The relation between roles in G 1 and roles in G 3 is RM, blue two-way arrow.

Figure 3
(d) is the result of query "the Role mapping from roles in G 1 to roles in G 3 ".5) Inter-domain PE.The relation between permissions in G 1 and permissions in G 3 is PE, blue two-way arrow.

Figure 3 (
e) is the result of query "the permission equal from roles in G 1 to roles in G 3 ".

Figure 6 .
Figure 6.The screenshot of semantic substrates.