Improving Performance of ABAC Security Policies Validation using a Novel Clustering Approach

Cloud computing offers several services, such as storage, software, networking, and other computing services. Cloud storage is a boon for big data and big data owners. Although big data owners can easily avail cloud storage without spending much on infrastructure and software to manage their data, security is a big issue, and protecting the outsourced big data is challenging and ongoing research. Cloud service providers use the attribute-based access control model to detect malicious intruders and address the security requirements of today’s new computing technologies. Anomalies in security policies are removed to improve the efficiency of the access control model. This paper implements a novel clustering approach to cluster security policies. Our proposed approach uses a rule-specific cluster merging technique that compares the rule with the clusters where the probability of similarity is high. Hence this technique reduces the cost, time, and complexity of clustering. Rather than verifying all rules, detecting and removing anomalies in every cluster of rules improve the performance of the intrusion detection system. Our novel clustering approach is useful for the researchers and practitioners in the ABAC policy validation. Keywords—Anomalies; attribute-based access control model; big data; cloud storage; clustering; intrusion detection system; security policy


I. INTRODUCTION
Cloud storage is one of the most beneficial services to leverage and manage big data efficiently [1]. Large-scale enterprises, governments, and commercial organizations use the cloud to store and manage their big data without spending much on implementing infrastructure. Data privacy and security are essential, and securing the shared big data is a real challenge in today's emerging computing technologies [2] [3]. We have surveyed about challenges, security issues, and existing methodologies for addressing the security requirements [4]. Data breaches, data loss, account hijacking, denial of services, and malicious insiders are some attacks, and various encryption techniques are used to protect the data in the distributed cloud storage [5] [6]. Cloud service providers use various access control models to implement the Intrusion Detection System [7] [8]. The access control model is a function that identifies whether a requested operation on a shared object(resource) is legal or not [9]. In other words, the access control model is a protection technique that categorizes the authorized and unauthorized users and protects the shared resources based on the Access Control List (ACL) or security policies. The access control models use rules to determine which user can get what types of accesses for a shared resource. It manages all access-rights and access-conflicts over the shared resources [10]. The term object refers to the shared resources in a distributed environment. The access control models use the term subject to refer to the process being executed for a single user or an organization, which requests access for the object. Fig. 1 shows the working mechanism of the access control model. Many access control models are developed, and each is good in some situations and gives performance up to their level [11]. In this paper we described the major four access control models Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role Based Access Control (RBAC), and Attribute Based Access Control (ABAC) models. Discretionary Access Control (DAC) allows the owner of the object to specify the access rights of the user for their object. Thus the resource-owner decides and determines the security policies directly and explicitly unlike nondiscretionary access control models. In non-discretionary access control models, rather than the resource-owner, the administrator determines the security policies [12]. DAC creates and maintains ACL for every individual resource to determine the access privileges of the user for that resource. ACL of each resource is a table of records and each record specifies the information about the user(or group of users) and the access rights [2]. The process of specifying ACL in DAC is very flexible, easily updatable, and reduces the administrator's work but the level of security is less [6]. The operating systems WINDOWS, LINUX use DAC. DAC meets the security requirements when the number of resources and users are limited but it fails to address the security requirements of today's computing technologies. The delegation feature of DAC has even more benefits like offering cooperation between users and the resource-owner [8]. But it leads to loss of confidentiality, integrity, and availability of resources if any user made a wrong decision while granting access to other users. As DAC requires a resource-owner for each object to determine the access rights, fulfilling this requirement is difficult in new computing technologies like cloud and fog computing [9] [10].
Mandatory Access Control (MAC) is a central authority system where the administrator or the authorized person only can set access rights. The access rights cannot be specified or updated by the user like DAC. MAC uses a security label for each resource and subject. There are two pieces of information in a security label. The first piece of information called classification-segment determines the nature (public or private) of the resource or subject. The second segment category specifies the information about the process or application. MAC allows the requested operation on the object if the security labels of the object and subject match. The administrator only can determine the characteristics or attributes of the subject and object. Even the allowed users cannot specify or change the attributes. While DAC fails to give security on sensitive and confidential data, MAC meets these security requirements of the business and government organization. MAC is capable of managing trojan horses to protect the shared resources. Unlike DAC, the integrity and confidentiality of the resource are preserved by MAC. The feature reference monitor of MAC stores all security labels and policies in the database and monitors the access rights of every request for the object. The operating system Security-Enhanced Linux implements MAC to protect the objects. If the communication between the subject and object is high, then managing security labels and policies is a challenging issue. DAC and MAC are efficient when the size of data and the number of users are small [11]. MAC increases the complexity in managing security policies for large applications [2].
RBAC introduces a new concept of assigning roles between users and resources. RBAC (Role-Based Access Control) uses the permission-role and role-subject association to protect shared resources, whereas ABAC(Attribute-Based Access Control) uses security policies [13]. RBAC meets the security requirements of large applications. RBAC determines the security policies or access rights based on the role or job of the subject. Thus this access control model specifies the possible access rights (permissions) to the role. The subject can get access to an object based on his role or job. RBAC performs two assignments thus it first assigns all permissions required for a particular job or role for an object and second it assigns a role to the user or subjects. RBAC provides two efficient features least privilege and separation. The feature least privilege means RBAC assigns access rights or permissions required only for the role or task being processed on the object. As no additional access rights can be availed by the role, it prevents unauthorized access and preserves the integrity of the data. Another feature separation of duties distributes the process into various roles or duties and assigns the duty to the subject. As the subject can perform his/its assigned role only, RBAC prevents the entry of fraud intruders [14]. Hence no subject can perform all permissions or access rights of the shared object rather than the central authority (administrator). It increases the security level and RBAC has the capacity of ensuring whether the end-users can do their permitted transactions. Using the feature of grouping rules reduces the complexity of the administrator's work. Government sectors, military, and private organizations use RBAC to protect databases, web services, and all shared resources [15].
As RBAC performs constant or permanent associations (permission-role and role-subject), it fails to address the security needs of the computing technology that requires the dynamic associations and role-independent security policies. ABAC addresses this issue and is capable of performing dynamic relationships and generating role-independent security policies. ABAC security policies are generated with the attributes of the categories subject (who requests the operation of a resource), object (resource is shared in a distributed environment), and environment (time, the importance of the request, etc.). Both RBAC and ABAC address the security needs of large-scale applications or organizations, but ABAC fulfills the complex security requirements of today's computing technologies [9]. It gives better security even if the communication between the subjects and objects is increasing exponentially [16]. It has many features fine and coarse-grained access, dynamic mapping (subject-object), and flexibility. With the properties efficiency, flexibility, granularity, and security-level [17]. We gave a summarized analysis of the above-described access control models in Table I. Most of today's computing technologies cloud, fog, edge, and IoT use ABAC to meet the security requirements. But the anomalies in the ABAC security policies dilute the reliability and efficiency of the mechanism [18]. Detection and elimination of all possible anomalies in security policies or rules improve the efficiency and accuracy of security. We can improve the performance of the detection mechanism by detecting anomalies in every cluster of similar rules, instead of detecting in every rule. This paper implemented a new approach to cluster similar ABAC security rules. The scopes of our approach are: • Tool to generate ABAC Policies.
• Ability to measure the similarity of rules.
• Reduces the generation of more clusters.
• Avoids avoidable-redundancy (the same rule is contained in many clusters).
• Avoids the conflict clusters (not all rules in clusters are similar).
• Ease of implementation.
We use Section II to describe some clustering approaches already used in various research works, and Section III presents the fundamental concepts of the ABAC model and our proposed clustering approach. We use Section IV to describe the system architecture of our implementation. We analyzed output and discussion about the outcome of our approach in Section V. Finally, we concluded in Section VI.

II. RELATED WORK
Bhatia and Vandana surveyed Nearest Neighbor techniques (NN). NN technique is simple, effective, and robust to noise. This approach generates clusters of nearest neighbors where the nearest neighbor is identified by some calculated value. The KNN(K-Nearest Neighbor) is an unsupervised clustering technique and determines the nearest neighbor based on the k-value. They categorized the NN techniques into two groups; Structure less NN techniques and structure-based NN techniques. Structure less NN determines the nearest neighbor from the training and sample data. In structure-based NN, the nearest neighbors are determined based on the structure of data such as top-down or bottom-up like a k-d tree or bell tree. Both categories are the extended or improved version KNN techniques. They conclude that researchers can improvise the NN technique based on their research [19]. Ahalya and Pandey analyzed various clustering algorithms such as the K-means algorithm, Hierarchical algorithm, self-organizing map (SoM) algorithm, and expectation maximization(EM) algorithm. They described some tools used to implement the clustering algorithms. They compared and analyzed the above algorithms based on the type and size of the data set, the number of clusters, implementation tools, and accuracy. They reported that kmeans and EM give better performance than other approaches and the SoM algorithm gives more accuracy than others [20].
MaryemAit El Hadj, Mohammed Erradi, and their team proposed an approach to cluster the security policies and additionally used the information of access log to detect the fraud intruders. They used the KNN algorithm to cluster the security rules and applied the rule-sub-module-reduction technique to minimize the count of rules in each cluster [21]. MaryemAit El Hadj and his team proposed a clustering approach to cluster XACML (eXtensible Access Control Markup Language ) policies. XACML is an efficient markup language to express ABAC policies. They cluster the rules based on their similarity. Every pair of rules is clustered if the similarity value of the pair or rules is greater than the threshold value of 0.8 [23]. This method ensures that each rule must be clustered once, and the same rule may be contained in more than one cluster. There must be non-empty clusters only. The above approach may produce a maximum number of clusters and clusters with a maximum number of rules [22]. In contrary to the above research, we proposed and implemented a novel approach that our approach uses the basic technique of hierarchical clustering algorithm [24]. Rather than using the distance between the new rule (data point) and the cluster center, we use the similarity value of the new rule and the existing rules in the previous cluster. We use a rule-specificcluster-merging approach instead of using the rule-submodule-reduction method. Thus if the similarity value of two rules Rule-1 and Rule-2 is above the threshold value, then we create a new cluster if and only if Rule-1 and Rule-2 are new rules that are not yet clustered. If Rule-1 (or Rule-2) is already clustered and Rule-2 (or Rule-1) is not clustered and matched with all rules of the existing cluster, which contains Rule-1 (or Rule-2), then Rule-2 (or Rule-1) is merged with that existing cluster. Our enhanced approach reduces the generation of more clusters, redundancy (the same rule is contained in many clusters), and avoids the conflict-clusters (not all rules in a clusters are similar). Table II summarizes our approach and the researches done in previously.  [20] Compared and analyzed various clustering algorithms such as the K-means algorithm, Hierarchical algorithm, self-organizing map (SoM) algorithm, and expectation maximization(EM) algorithm based on the type and size of the data set, the number of clusters, implementation tools, and accuracy. Reported that k-means and EM give better performance than other approaches and the SoM algorithm gives more accuracy than others. [21] Proposed an approach to cluster the security policies using the KNN algorithm and additionally used the information of access log to detect the fraud intruders. Applied rule-sub-module-reduction technique to minimize the count of rules in each cluster. [22] Proposed a clustering approach to cluster XACML (eXtensible Access Control Markup Language ) policies based on the similarity value. Pair of rules are clustered if they are similar rules. This approach generates an increased number of clusters and also the cluster contains an increased number of rules. A rule may be contained in more than one cluster (redundancy) and not all the rules in a cluster are similar (conflict-cluster).

This paper
Proposed novel approach that uses the basic technique of hierarchical clustering algorithm. We use a rule-specific-cluster-merging approach instead of using the rule-sub-module-reduction method. Our enhanced approach reduces the generation of more clusters, avoidable redundancy (the same rule is contained in many clusters), and avoids the conflict clusters (not all rules in clusters are similar).

III. PRELIMINARIES
The fundamental concept of the ABAC model is described in this section. This also section describes how the ABAC rules are expressed and how the similarity value of pair of rules is calculated.

A. ABAC Model
This section describes the basic concepts of the ABAC model and the simple authentication process. The common simple authentication process is making a decision (allow or deny) by using the information like username and password of the subject or user for the request to access the shared resources such as files, databases, software. This simple process of checking the identity of the subject is not sufficient to meet the security needs of today's emerging computing technologies. RBAC and ABAC are the models used to address the complex security requirements of new computing technologies like cloud and fog computing. While RBAC fails to generate dynamic mappings between subject and object and also it is a role-independent model, ABAC or the combined features of RBAC and ABAC can be used for the protection of shares resources [25]. In this paper, we use the ABAC model and we aim to detect and eliminate the anomalies in ABAC security policies. This paper proposes an enhanced approach for clustering the security policies to simplify the process of detection and removal of anomalies. Fig. 2 and Fig. 3 show the simple standard authentication system and the ABAC model.  ABAC model has a set of determined security policies where each security policy consists of security rules. In general, the security rule of the ABAC model is expressed with the decision (allow or deny), operations (read, write, print, etc.), and the attributes of subject (who requests the access), object (shared resources), and environment conditions (time, the importance of the operation, etc.). The decision either allowing or denying the subject's request is made based on the attributes of the subject, object, and environmental conditions specified in the rules. In our research work additionally, we added one parameter Priority-level to each security rule to avoid the demand on a single object. The priority level is assigned based on the subject's attributes and the importance of the operation on the object. The most common jargons used in the ABAC model are:

1) Subject and its attributes:
The term subject refers to a single or group of users or organizations or the process that requests the resource. The attributes of subjects are the important credential information about the subject like name of user or process, designation, department, affiliation, etc.
2) Object and its attributes: Shared resources (operating system, network, file, software, and database) are named as objects. The information like name, type, owner, and date of creation are the attributes of objects. 5) Rule and decision: Constructed with the above three categories subject, object, and environmental conditions. In our proposed approach, we included the additional parameter priority-level assigned based on the attributes of the subject. The rule takes the decision (allow or deny) based on the attributes of the subject, object, and environmental conditions. 6) Policy: It is a set of rules established for the protection of objects in an organization.

B. Expression of ABAC Security Policy
The security policies of ABAC are constructed with a set of rules. Every rule contains the attributes of the subject, objects, and environment. The decision (allow or deny) is made based on the values of the attributes specified in the rule [26]. We added one additional parameter priority-level in every rule to avoid the anomaly conflict-demand. Thus more requests on a limited object are referred to as conflict-demand. The parameter priority-level is a non-negative integer. The demand for a limited object is handled based on the value of the priority level. Thus the rule or request which has the highest priority value will be allowed to get access. The pair of rules is not clustered if the priority-level of the two rules are not equal. The security policy set of the ABAC model is expressed by JavaScript Object Notation (JSON) as follows: Extensible Access Control Markup Language (XACML) is the most common acceptable and widely used language to express the security policies. Each attribute is expressed with the pair key and value using a markup language. Key is the attribute name (eg. Department) specified as the tag and value (eg. Urology ) is the value of the attribute name specified within the key-tag. The ABAC policy set can be expressed by XACML as follows: The above rules Rule 1 and Rule 2 are security rules represented including the parameter PriorityLevel. The attributes Designation and Department are the categories of subject, File-Name is the attribute of category object, and the attribute Time is the category of environment. The rules state that the file 'pat_007_blood_report' can be read by the users 'duty doctor, 'surgeon' and 'head nurse' belong to the department 'hematology'. When all these three subjects are trying to get access to the file, 'duty doctor, 'surgeon' will get access first due to the highest priority. The relationship diagram of security policy and working principle of ABAC model is shown in Fig. 4. This security system provides two stages of authorization. The first stage performs the common traditional authorization process where the second stage completes the ABAC mechanism to increase the level of protection.

C. Measurement of Similarity Value
We used the following formulae to measure the similarity value of the pair of rules [27]. The similarity value (S) of the pair of rules R 1 and R 2 for an attribute 'atr' is calculated using formula-1.
where ATS(R 1 ) and ATS(R 2 ) are a set of attributes of R 1 and R 2, respectively. 'P atr' is the probability of the attribute (P atr =1/number of the common attribute in both R1 and R2). The variable 'atr' is the set of attributes that appeared in both R1 and R2 under the category C. The similarity-value (S) of the pair of the rule is measured by the formula-3.
S (R 1 , R 2 ) = P subject S subject (R 1 , R 2 ) + P object S object (R 1 ,R 2 )+ P environment S environment (R 1 ,R 2 ) The variable P is the probability of the category (subject, object, and environment). As equal probability is applied, the probability of each category is 1/3. The similarity value of the above-mentioned rules Rule 1 and Rule 2 is calculated as, Fig. 5 shows the system architecture of our proposed method. It contains the rules-clusters storage and management module, rule generation module, and rule clustering module. The functional operation, task, requirements of each module, and relationship among the modules are described in the following sections.

A. Rules-Clusters Storage and Management Module (RCSMM)
We created relations (tables) in Oracle11 (Oracle 12c is for an in-memory database environment). The schema diagram of RCSMM is shown in Fig. 6. The relation 'Subject' is used to store and manage the attributes and values of the subject. Likely the relation 'Object' and the relation 'Environment' store and manage the attributes of the resources and the environmental conditions respectively. The generated security policies are stored and maintained in the table 'Rules'. The information about the request of operation for a resource is maintained in the relation 'Operations'. The generated security rules are clustered and stored in the relation 'Clusters'. Table III, Table IV, Table V, Table VI show the sample records of the relations Subject, Object, Environment, and Clusters. Table VI illustrates that rules 1 and 2 are clustered in cluster-1 and cluster-11 consists of rules 32 and 33. We created a relation for each category (Subject, Object, and Environmental Conditions) to store and manage the value of all attributes. We have written stored functions to measure the similarity value of pair of rules for an attribute (e.g. Department), the similarity value of pair of rules for each category (e.g. Subject) and finally to measure the similarity value of pair of rules.

B. Rule Generation Module (RGM)
We designed the module RGM in java for automated rule generation. RGM is an admin interface in java to generate or specify the security policies for all shared resources. The admin can easily set the rules for a resource with the attributes of the categories Subject, Object, and Environment. This module is flexible for the admin to update the rules easily. This module allows the admin to create, or delete or update the entities of the subject, object, and environmental conditions. The priority of the rule is determined based on the role of the subject. The subject-attribute 'grade' is assigned with the value (low or high or middle) based on the attribute designation. The priority of the rule or request is determined based on the attribute 'grade'. We have written a rule generation procedure in Java to generate ABAC rules. Fig. 7 shows the interface of rule generation. The generated policies are stored in the relations Rules, Subject, Object, Environment, and Operations. Fig. 8 shows the sample of generated rules.

C. Rule Clustering Module (RCM)
We implemented our enhanced clustering algorithm in java to cluster the security policies. In our previous work [28] [29], we applied a direct clustering approach that every rule R i ( from top to bottom) is paired with the rule R j (from the next successive rule of Ri to the last rule in the database). The pair of rules are clustered if the similarity value of the pair of rules is above the threshold value and the difference between the priority-level of those rules is zero (priority-level of two rules are equal). The introduction of the parameter priority-level reduces the size of the clusters [30].
Although the previous approach clusters the rules efficiently, it produces more clusters, and the same rule is clustered in multiple clusters. In our enhanced approach, we follow the top-to-bottom approach thus we start from the first rule to last (1,2,3,..,n) and for each rule R i we made the pairing of the rule R i with every R j (j=i+1,i+2,..,n}. If two rules R i and R j are similar rules based on the condition (similarity-value(R i , R j )>0.8 and priority-level(R i ) is equal to priority-level(R j ) ), then we follow the following criteria to cluster the pair of rules R i and R j.
• The rules R i and R j are stored in a new cluster if R i is not yet clustered. (first similar rule of R i ) • In the case of the rule, R i is already clustered in C k, and R j is not clustered: (rule-specific-cluster-merging technique) o the rule R j is merged with the cluster C k if R j is similar to all the rules in the cluster C k, o otherwise, R j and R i are stored in a new cluster.
• Every rule should be clustered, and any cluster should not be empty.
The enhanced clustering algorithm is written as follows: ______________________________________________________ Algorithm: Rule-Specific-Cluster-Merging Approach (RSCA) ______________________________________________________ Input : Security rules R 1 , R 2 ,…, R n , // n is number of rules Output: Cluster of Rules C 1 , C 2 ,.., C k // k is the number of clusters 1. K=0; // K is the number of clusters 2. T={R 1 , R 2 ,……R n } /* T is the table of records and each record R i contains information of single rule */ 3. For each rule r 1 in R 1 to R n loop //form first record to last record 4.
For each rule r 2 in R i+1 to R n loop 5.
If r 1 is not yet clustered then 8.
Else if r 1 is already clustered and r 2 is not clustered then 10.
Found the cluster C F such that r 2 is similar to all the rules in C F where r 1 is the member of this cluster 11.
If such cluster C F is found then 12.
C F = C F U {r 2 } // is merged with the existing cluster. 13.
Else If such cluster C F is not found then 14.
If r 1 is not yet clustered then // none of the rules is similar to r 1 20.
End If 22. End Loop 23. End ______________________________________________________ The implementation of our enhanced clustering approach clusters the given set of rules. Fig. 9 shows the results of our 253 | P a g e www.ijacsa.thesai.org implementation. We managed six tables Rules, Operations, Subject, Object, Environment, and Clusters to store the detail of rules, operations on objects, subjects, objects, environments, and clusters respectively. The creation of an individual table for every entity avoids the redundancy of data and null values.
Rule clustering module (RCM) proposes an approach to cluster ABAC Policies before policy validation to improve the performance of the model (Resolving the policy errors in every rule is a time-consuming and complex process). We used only the basic technique of the hierarchical clustering algorithm. We introduce a novel clustering (rule-specificcluster-merging) and resolved the two major problems of clustering: avoidable-redundancy (the same rule is contained in many clusters), and avoids the conflict clusters (not all rules in clusters are similar). The scopes of our approach are: • We used a rule-specific-cluster-merging approach ( instead of using the rule-sub-module-reduction method or cluster-merging method ). (time complexity is low).
• If two rules are already clustered, our approach will not entertain the clustering once again (reduces the number of clusters and a rule is not stored in multiple clusters unnecessarily).
• If a pair of rules are similar and anyone rule is already clustered, then we are seeking to cluster the next one with the specific clusters where the clustered rule is a member. ( improves the performance of the process).
• A rule is merged with the existing cluster if all the rules of the existing clusters are similar only (avoids conflict-clusters-not all rules in a cluster are similar).

V. RESULTS AND DISCUSSION
We described and compared our approach with the hierarchical clustering algorithm. Fig. 10 illustrates the example of the hierarchical clustering algorithm.
We took eight rules {R1,R2,R3,R4,R5,R6,R7,R8} for clustering. In the first step, the hierarchical algorithm considers each rule as a cluster. At each iteration, every cluster is compared with other clusters and the similar clusters are merged. This is a continuous process while there are comparable clusters. Let we consider.
C is the cluster to be compared, k is the number of current clusters, k-1 is the number of clusters excluding C, r1 is the number of rules in the i th cluster (1≤ i≤ k-1) and r2 is the number of rules in C.  11 illustrates the same example of clustering eight rules with our proposed approach. In the first step of our approach, we compare every rule R i (1≤i≤n-1, n is the number of rules) with Rj (i+1 ≤ j ≤ n). At each iteration, the unclustered rule is compared only with the specific clusters, not all the clusters. Thus if R1 and R2 are similar rules, R1 is clustered and R2 is yet to clustered, then R2 is compared with the clusters that contain R1. If k is the number of specific clusters (where the feasibility of similarity occurs for the unclustered rule) and t is the number of rules in the k th cluster, then our approach requires k×t comparisons only. Hence our approach reduces the number of comparisons and consumes less time than the other approaches. For the discussion of our proposed approach, we took five rules as a sample (listed in Table VII) to make the discussion easy and understandable.   Table VIII. Our novel clustering approach produces three clusters C1={2,5,4}C2={1,2} C3={3} for the above five rules. In our proposed approach, all rules in every cluster are similar. Thus a rule is merged if it is similar to all the rules already exist in that cluster. In some previous researches, the number of clusters is very high. Also, only minimum rules are similar in a cluster, and this leads to complexities in detecting and removing anomalies [22]. Unlike the rule-sub-modulereduction method [21], we merge the cluster at the time of the creation of the cluster itself, which increases the performance of the approach. In our previous work [28], we introduced the parameter priority-level to avoid the anomaly conflict-demand and reduce the more number of clusters. Although our previous research reduced the number of clusters, this enhanced cluster with the cluster-merging technique decreases the creation of more clusters and also maintains the constraints that all rules in a cluster are similar only. Fig. 12 illustrates the comparison of our novel rulespecific clustering approach (RSCA) with the previous approaches 'Cluster-based approach' (CBA) and 'Log-based clustering approach' ( LBCA) [21][22] (Maryem Ait El Hadj, Mohammed Erradi). CBA generates more clusters than LBCA and RSCA. Comparing to the hierarchical clustering algorithm(HCA) and other discussed previous approaches, our proposed clustering approach reduces the generation of more clusters and the number of comparisons, hence this result shows that our proposed approach consumes less time and increases the performance of the clustering technique and this helps to improve the efficiency of the ABAC model. Fig. 13 gives the comparative analysis of the existing approaches with our proposed approach based on the time complexity (Time is represented as Nanoseconds). Table IX shows the qualitative analysis of clustering approaches. We used rule-redundancy-clusters (the same rule is clustered in multiple clusters), conflict-clusters (not all the rules in a cluster are similar), high-cluster-generation (more number of clusters are generated), and less time-consuming (measured based on the number of comparisons and iterations) to perform this qualitative analysis.

VI. CONCLUSION
Cloud service providers use many access control models in the implementation of the intrusion detection system to secure big data and other shared resources in the distributed environment. ABAC model meets the security requirements of advanced computing technologies like cloud computing, fog computing, and the Internet of Things (IoT). Detection and Removal of Anomalies (DRA) in the policies improve the efficiency and reliability of the model. Applying DRA in every cluster of rules rather than in every rule enhances the performance of the approach highly. Existing DRA approaches have the inability to prove the efficiency of the model, due to applying the poor clustering approach or the approach which not properly detect and resolve all considerable anomalies. Our research contribution consists of three modules: 1) developing a tool to generate ABAC policies; 2) Storing and managing ABAC policies in the database; 3) applying a novel rule-specific-cluster-merging algorithm to cluster ABAC policies. In previous researches, clustering methods produce more clusters and cluster a rule in multiple clusters. The previous approaches generate conflict clusters thus not all the rules in a cluster are similar, which results that in increases the complexity of the approach and degrades the performance too. Our novel approach with the rule-specific-cluster-merging technique reduces the generation of more clusters, avoids the clustering of the same rule in multiple clusters and conflict clusters. With our RSCA algorithm, we decrease the number of comparisons. Hence our approach gives high performance and reduces the complexity in applying DRA. The additional parameter priority-level in every rule avoids the anomaly conflict-demand. This is only our part of research towards improving the performance and efficiency of the ABAC model. Our future work is to detect and resolve the rule redundancy at the time of clustering to decrease the complexity in the clustering mechanism. In the future, we will propose an approach to detect and resolve all considerable policy errors to improve the efficiency of the ABAC model and intrusion detection system.