*5.4.5 Experimental results and discussion*

Each experiment was run five times, and then the average value was recorded. Five scenarios were observed by increasing the number of requests from five to twenty-five as illustrated in **Table 4**. The request indicates an access control request from a user (subject) to access nova-resources (object).

Based on usability engineering [67, 68] The response time value can be within three categories: over 0.1 seconds will give the user a feeling that the system is reacting instantaneously, over 1.0 seconds will give the user a feeling of a delay but


Key: Policy Decision Point (PDP), Policy Administration Point (PAP), Policy Enforcement Point (PEP), Policy Information Point (PIP), Policy Retrieval Point (PRP)

#### **Table 3.**

*Performance evaluation metrics.*


**51**

**Table 5.**

**Figure 10.**

0.29 0.1 0.56 0.16 0.03

Average 0.145

Percentage 0.56%

*Comparing real-time values.*

*Real-time for access control processing in nova.*

*An Intelligent Access Control Model*

*DOI: http://dx.doi.org/10.5772/intechopen.95459*

**ABACsh** nova to the overall OpenStack system.

search for something to work on till the computer responds.

will stay uninterrupted, over 10 seconds the user will lose his/her attention and will

The graph in **Figure 10** compares the real-time for the three set of experiments. The increase is 0.05 seconds when the extended **ABACsh** nova employ forward reasoning in access decision processing as shown in **Table 5** while the increase is 0.145 seconds when **ABACsh** uses twenty-four attributes in access decision processing. Therefore, there is an increase of 0.56% when attributes are added to the policy engine and 0.19% when the forward-chaining algorithm is added. Consequently, the increase in response time is negligible in Ref. to the usability engineering when the nova default access control is extended with part of the proposed ABAC enhancement. On the other hand, sys-time gives the process execution only within the kernel regardless of the other tasks. Therefore, the time for the 25 requests dropped from 43.02 seconds within real-time to 2.09 seconds within sys-time during Exp1 which involve default nova access control. The sys-time comparison for the three experiments is illustrated in **Figure 11**. The results show a slightly better performance of

**Experiment 2 - Experiment 1 Experiment 3 - Experiment 1**

0.1 0 0.35 0.05 0.05

Average 0.05

Percentage 0.19%

Three time values has been recorded as illustrated in **Table 4**: real-time, user-time and sys-time. In this study, real-time and sys-time have a direct reflect on the performance analysis whereas user-time is reflecting the processing outside the kernel. The real-time shows the access control execution time in additions to the other OpenStack cloud processes that introduce some delay by blocking the process or introducing a waiting time. Therefore, this measurement will indicate the effect of our extended

#### **Table 4.**

*Experimental results.*

#### *An Intelligent Access Control Model DOI: http://dx.doi.org/10.5772/intechopen.95459*

*Quality Control - Intelligent Manufacturing, Robust Design and Charts*

from a user (subject) to access nova-resources (object).

Response time The time required to process

Policy distribution If there exist a mechanism that

Integrated with authentication function If the subject and object can

Policy Information Point (PIP), Policy Retrieval Point (PRP)

Each experiment was run five times, and then the average value was recorded. Five scenarios were observed by increasing the number of requests from five to twenty-five as illustrated in **Table 4**. The request indicates an access control request

Based on usability engineering [67, 68] The response time value can be within three categories: over 0.1 seconds will give the user a feeling that the system is reacting instantaneously, over 1.0 seconds will give the user a feeling of a delay but

**Performance metrics element Description The applicable** 

access request should meet the organization requirement

can be used for access control

policy distribution

be associated with some identifications through an authentication function.

**No. of Requests Response time Exp1 Exp2 Exp3** 5 Real 8.67 8.96 8.77

Key: Policy Decision Point (PDP), Policy Administration Point (PAP), Policy Enforcement Point (PEP),

10 Real 17.24 17.34 17.24

15 Real 25.52 26.08 25.87

20 Real 34.40 34.56 34.45

25 Real 43.02 43.05 43.07

User 5.56 5.52 5.55 System 0.42 0.44 0.40

**Access Control Component**

PEP, PDP, PIP, PRP

PAP, PIP, PRP

PIP

User 10.99 11.05 11.11 System 0.88 0.86 0.83

User 16.46 16.61 16.64 System 1.25 1.31 1.22

User 22.07 22.17 22.23 System 1.68 1.66 1.56

User 27.64 27.63 27.82 System 2.09 2.10 1.96

*5.4.5 Experimental results and discussion*

**50**

**Table 4.**

**Table 3.**

*Performance evaluation metrics.*

*Experimental results.*

will stay uninterrupted, over 10 seconds the user will lose his/her attention and will search for something to work on till the computer responds.

Three time values has been recorded as illustrated in **Table 4**: real-time, user-time and sys-time. In this study, real-time and sys-time have a direct reflect on the performance analysis whereas user-time is reflecting the processing outside the kernel. The real-time shows the access control execution time in additions to the other OpenStack cloud processes that introduce some delay by blocking the process or introducing a waiting time. Therefore, this measurement will indicate the effect of our extended **ABACsh** nova to the overall OpenStack system.

The graph in **Figure 10** compares the real-time for the three set of experiments. The increase is 0.05 seconds when the extended **ABACsh** nova employ forward reasoning in access decision processing as shown in **Table 5** while the increase is 0.145 seconds when **ABACsh** uses twenty-four attributes in access decision processing. Therefore, there is an increase of 0.56% when attributes are added to the policy engine and 0.19% when the forward-chaining algorithm is added. Consequently, the increase in response time is negligible in Ref. to the usability engineering when the nova default access control is extended with part of the proposed ABAC enhancement.

On the other hand, sys-time gives the process execution only within the kernel regardless of the other tasks. Therefore, the time for the 25 requests dropped from 43.02 seconds within real-time to 2.09 seconds within sys-time during Exp1 which involve default nova access control. The sys-time comparison for the three experiments is illustrated in **Figure 11**. The results show a slightly better performance of

#### **Figure 10.**

*Real-time for access control processing in nova.*


#### **Table 5.**

*Comparing real-time values.*

**Figure 11.**

*Sys-time for access control processing in nova.*


#### **Table 6.**

*Comparing sys-time values.*

5.5% for extending the default nova access control when forward-reasoning has been utilized whereas an increase of 4% over the default nova when 24-attributes are used in the policy-engine as illustrated in **Table 6**.

From these results, the **ABACsh** shows an acceptable performance compared to the default OpenStack access control within nova service. This section demonstrates the enhanced attribute-based access control **ABACsh** performance improvement when attributes and forward reasoning algorithm are employed. It has been noticed that the performance improvement is liner in **Figure 10** when only attributes are involved in access decision. Whereas in **Figure 11** when forward reasoning is involved, an improvement in performance has been noticed. This indicates an opportunity of enhancing the IaaS-cloud security when logical reasoning and AI mechanism are involved in access control system.

#### *5.4.6 Experiments limitations*

The main aim of the experiments in this chapter is to study the performance improvement when attribute-based access control model is introduced into IaaS cloud. The experiment scale is limited to a private cloud in a LAN set-up. Therefore, the network performance metrics has not been studied such as the latency and throughput. The implementation in this chapter does not involve the PIP component of the access control, therefore only a simple forward reasoning algorithm has been deployed without knowledge update component. The used database for knowledge is written manually whereas the system should use an automated information collection method if PIP is implemented. One subject is involved in

**53**

**Author details**

Shadha Mohamed Sulaiyam ALAmri

provided the original work is properly cited.

University of Technology and Applied Sciences, Muscat, Oman

© 2021 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

\*Address all correspondence to: shadha-alamri@hct.edu.om

*An Intelligent Access Control Model*

**6. Conclusions**

system.

*DOI: http://dx.doi.org/10.5772/intechopen.95459*

Multi-tenant study is a critical future work.

each experiment, therefore multi-access has not been investigated in this chapter.

This Chapter is focusing on the problem of deploying access control in a dynamic environment. Access control is one of the information security principles where the system user access is controlled through an access policy. In the cybersecurity world where systems and devices are distributed in different locations, there is a need to have an access control model that is able to cope with a dynamic environment where new users with different privileges are joining and leaving the

This chapter is proposing to deploy an enhanced version of attribute-based access-control named **ABACsh.** This model is deploying knowledge base category of AI. A proof of concept is implemented in the cloud computing environment to

measure the performance and the visibility of such a deployment.

each experiment, therefore multi-access has not been investigated in this chapter. Multi-tenant study is a critical future work.
