M. Abadi, Logic in access control, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings., pp.228-136, 2003.
DOI : 10.1109/LICS.2003.1210062

[. Ahn, H. Hu, J. Lee, and &. Meng, Representing and Reasoning about Web Access Control Policies, 2010 IEEE 34th Annual Computer Software and Applications Conference, pp.137-146, 2010.
DOI : 10.1109/COMPSAC.2010.20

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

]. J. [-alfaro2007, F. Alfaro, &. N. Cuppens, and . Cuppens-boulahia, Aggregating and Deploying Network Access Control Policies, The Second International Conference on, pp.532-542, 2007.

]. J. [-alfaro2008, N. Alfaro, &. F. Boulahia-cuppens, and . English, Complete analysis of configuration rules to guarantee reliable network security policies, International Journal of Information Security, vol.29, issue.2, pp.103-122, 2008.
DOI : 10.1007/s10207-007-0045-7

A. Alfaro, F. Cuppens, N. Cuppens-boulahia, S. M. Perez, and &. Cabot, Management of stateful firewall misconfiguration, Computers & Security, vol.39, pp.64-85, 2013.
DOI : 10.1016/j.cose.2013.01.004

]. E. Alshaer2004, &. H. Al-shaer, and . Hamed, Modeling and Management of Firewall Policies, Network and Service Management, pp.2-10, 2004.

]. E. Alshaer2005, H. Al-shaer, R. Hamed, &. M. Boutaba, and . Hasan, Conflict classification and analysis of distributed firewall policies, IEEE Journal on Selected Areas in Communications, vol.23, issue.103, pp.2069-2084, 2005.

]. E. Alshaer2009, W. Al-shaer, A. Marrero, &. K. El-atawy, and . Elbadawi, Network configuration in a box: towards end-to-end verification of network reachability and security, 17th IEEE International Conference on, pp.123-132, 2009.

[. Baker, M. Hansbury, and &. Haynes, The OVAL Language Specification (Version 5.10.1). Specification. MITRE, pp.39-50, 2012.

]. M. Barrere2012, R. Barrere, &. O. Badonnel, and . Festor, Towards the assessment of distributed vulnerabilities in autonomic networks and systems, 2012 IEEE Network Operations and Management Symposium, pp.335-342, 2012.
DOI : 10.1109/NOMS.2012.6211916

]. C. Basile2012, A. Basile, and A. Lioy, Network-Level Access Control Policy Analysis and Transformation, IEEE/ACM Transactions on Networking, vol.20, issue.4, pp.985-998, 2012.
DOI : 10.1109/TNET.2011.2178431

[. Basile, M. M. Casalino, S. , and S. Paraboschi, In: John Vacca. Computer and Information Security Handbook Chapter Detection of conflicts in security policies, 2013.

Y. Moritz, C. Becker, &. Fournet, D. Andrew, and . Gordon, Sec- PAL: Design and Semantics of a Decentralized Authorization Language, 2006.

]. A. Behl2012, &. K. Behl, and . Behl, An analysis of cloud computing security issues, Information and Communication Technologies (WICT), 2012 World Congress on. 2012, pp.109-114

]. S. Bellovin2009, &. R. Bellovin, and . Bush, Configuration management and security, Selected Areas in Communications, pp.268-274, 2009.
DOI : 10.1109/JSAC.2009.090403

[. Bertino, B. Catania, E. Ferrari, and P. Perlasca, A logical framework for reasoning about access control models, In: ACM Transactions on Information & System Security, vol.61, pp.71-127, 2003.

[. Bertino, A. C. Squicciarini, I. Paloscia, and &. Martino, Ws-AC: A Fine Grained Access Control System for Web Services, World Wide Web, vol.9, issue.2, pp.143-171, 2006.
DOI : 10.1007/s11280-005-3045-4

L. E. Bertossi, Database Repairing and Consistent Query Answering. Synthesis Lectures on Data Management, 2011.

[. Bettan, S. Ponta, K. Musaraj, &. Casalino, S. Audit-in-terface et al., FP7-ICT-2009.1.4 Project PoSecCo (no. 257129, www, pp.6-76, 2012.

[. Bishop and S. Peisert, Your Security Policy is What, 2006.

[. Bonatti, S. De-capitani-di-vimercati, and &. Samarati, An algebra for composing access control policies, ACM Transactions on Information and System Security, vol.5, issue.1, pp.1-35, 2002.
DOI : 10.1145/504909.504910

[. Bonatti, J. Coi, D. Olmedilla, and &. Sauro, Rule-Based Policy Representations and Reasoning, Semantic Techniques for the Web, pp.201-232, 2009.
DOI : 10.1145/605434.605435

URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=

]. D. Brewer1989, &. J. Brewer, and . Nash, The Chinese Wall security policy, Proceedings. 1989 IEEE Symposium on Security and Privacy, pp.206-214, 1989.
DOI : 10.1109/SECPRI.1989.36295

G. Bruns and &. Michael-huth, Access control via belnap logic, ACM Transactions on Information and System Security, vol.14, issue.1, pp.1-9, 2011.
DOI : 10.1145/1952982.1952991

J. Bryans, Reasoning about XACML policies using CSP, Proceedings of the 2005 workshop on Secure web services , SWS '05, pp.28-35, 2005.
DOI : 10.1145/1103022.1103028

]. A. Buttner2009, &. N. Buttner, and . Ziring, Common Platform Enumeration (CPE) - Specification. Specification, MITRE, 2009.

M. M. Casalino, M. Mangili, H. Plate, &. Serena, and E. Ponta, Detection of Configuration Vulnerabilities in Distributed (Web) Environments, Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol.106, pp.131-148, 2012.
DOI : 10.1007/3-540-62222-5_34

M. M. Casalino, H. Plate, &. Serena, and E. Ponta, Configuration Assessment as a Service, Lecture Notes in Computer Science, vol.7731, pp.217-226, 2012.
DOI : 10.1007/978-3-642-35890-6_16

M. M. Casalino, R. Thion, and &. Hacid, Access Control Configuration for J2EE Web Applications: A Formal Perspective, Lecture Notes in Computer Science, vol.7449, pp.30-35, 2012.
DOI : 10.1007/978-3-642-32287-7_3

URL : https://hal.archives-ouvertes.fr/hal-01353147

[. Thion, Extending Multivalued Dependencies for Access Control Policy Refactoring In: 29eme journées Bases de Données Avancées (BDA) Conference without formal proceedings, p.5601, 2013.

M. M. and C. Thion, Refactoring Multi- Layered Access Control Policies Through (De)Composition
URL : https://hal.archives-ouvertes.fr/hal-01339261

. Cfengine and . Cfengine, URL: http : / / www . cfengine . org (visited on 02, 2014.

[. Mordani, Java Servlet Specification, Version 3.1. Specification JSR-340. Oracle, 2013.

]. B. Cheikes2011, D. Cheikes, &. K. Waltermire, and . Scarfone, Common Platform Enumeration: Naming Specification Version 2.3. Specification, NIST, 2011.
DOI : 10.6028/NIST.IR.7695

[. Chen, Q. Zheng, and &. Xiaohong-guan, An OVALbased active vulnerability assessment system for enterprise computer networks, pp.573-588, 2008.

M. J. Covington, P. Fogla, Z. Zhan, and &. M. Ahamad, A context-aware security architecture for emerging applications, 18th Annual Computer Security Applications Conference, 2002. Proceedings., pp.249-258, 2002.
DOI : 10.1109/CSAC.2002.1176296

[. Coward and &. Yoshida, Java Servlet Specification, Version 2.4. Specification JSR-154, pp.30-79, 2003.

J. Crampton and &. Michael-huth, A Framework for the Modular Specification and Orchestration of Authorization Policies, Lecture Notes in Computer Science, vol.6, issue.2, pp.155-170, 2010.
DOI : 10.1145/762476.762481

J. Crampton and &. Morisset, PTaCL: A Language for Attribute-Based Access Control in Open Systems, Lecture Notes in Computer Science, vol.7215, pp.390-409, 2012.
DOI : 10.1007/978-3-642-28641-4_21

J. Crampton and &. Morisset, Towards A Generic Formal Framework for Access Control Systems, pp.16-105, 1204.

]. R. Craven2010, J. Craven, E. Lobo, A. Lupu, &. M. Russo et al., Decomposition techniques for policy refinement, 2010 International Conference on Network and Service Management, pp.72-79, 2010.
DOI : 10.1109/CNSM.2010.5691331

[. Craven, J. Lobo, E. Lupu, A. Russo, and M. Sloman, Policy refinement: Decomposition and operationalization for dynamic domains, pp.1-9, 2011.

[. Csis, Securing Cyberspace for the 44th Presidency DC: Center for Strategic and International Studies URL: http://csis.org/files/media/ csis, 2008.

F. Cuppens, N. Cuppens-boulahia, T. Sans, and &. Miège, A Formal Approach to Specify and Deploy a Network Security Policy, pp.203-218, 2004.
DOI : 10.1007/0-387-24098-5_15

A. Michael and . Davis, 2012 Strategic Security Survey, 2012.

]. S. Davy2008a, B. Davy, &. J. Jennings, and . Strassner, Application Domain Independent Policy Conflict Analysis Using Information Models, IEEE/IFIP Network Operations and Management Symposium, pp.13-147, 2008.

[. Davy, B. Jennings, and &. Strassner, The policy continuum???Policy authoring and conflict analysis, Computer Communications, vol.31, issue.13, pp.2981-2995, 2008.
DOI : 10.1016/j.comcom.2008.04.018

[. Dmtf, Common Information Model (CIM) Core Model. Specification DSP0111. Distributed Management Task Force, 2000.

[. Dmtf, CIM Query Language Specification. Specification DSP0202. Distributed Management Task Force, 2007.

[. Dmtf, Configuration Management Database (CMDB) Federation Specification Version 1.0.1. Specification DSP0252. Distributed Management Task Force, 2010.

[. Fabian, S. Gürses, M. Heisel, T. Santen, and &. English, A comparison of security requirements engineering methods, Requirements Engineering, vol.4, issue.2, pp.7-40, 2010.
DOI : 10.1007/s00766-009-0092-x

[. Fagin, Multivalued dependencies and a new normal form for relational databases, ACM Transactions on Database Systems, vol.2, issue.3, pp.262-278, 1977.
DOI : 10.1145/320557.320571

K. Fisler, S. Krishnamurthi, L. A. Meyerovich, &. Michael, and C. Tschantz, Verification and change-impact analysis of access-control policies, pp.196-205, 2005.

N. Simon, &. Foley, M. William, and . Fitzgerald, Management of security policy configuration using a Semantic Threat Graph approach, J. Comput. Secur, vol.19, pp.567-605, 2011.

[. Frank, J. M. Buhmann, and &. David-basin, On the definition of role mining, Proceeding of the 15th ACM symposium on Access control models and technologies, SACMAT '10, pp.35-44, 2010.
DOI : 10.1145/1809842.1809851

Z. Fu, S. Wu, H. Huang, K. Loh, F. Gong et al., IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution, Lecture Notes in Computer Science, vol.14, pp.39-56, 1995.
DOI : 10.1007/3-540-44569-2_3

]. M. Gouda2005, &. A. Gouda, and . Liu, A Model of Stateful Firewalls and Its Properties, 2005 International Conference on Dependable Systems and Networks (DSN'05), pp.128-137, 2005.
DOI : 10.1109/DSN.2005.9

P. Dimitar, M. Guelev, &. Ryan, Y. Pierre, and . Schobbens, Model-Checking Access Control Policies Information Security, Lecture Notes in Computer Science, vol.3225, issue.148, pp.219-230, 2004.

[. Gutiérrez, C. A. Hurtado, &. Alberto, and O. Mendelzon, Formal aspects of querying RDF databases, pp.293-307, 2003.

]. L. Habib2009, M. Habib, and C. Morisset, Formal definition and comparison of access control models, Journal of Information Assurance and Security, vol.4, issue.134, pp.372-378, 2009.

T. W. Hall, J. E. Hunton, and &. Pierce, Sampling Practices of Auditors in Public Accounting, Industry, and Government (Retracted), Accounting Horizons, vol.16, issue.2, pp.125-136, 2002.
DOI : 10.2308/acch.2002.16.2.125

Y. Joseph, V. Halpern, and . Weissman, Using First-Order Logic to Reason about Policies, In: ACM Trans. Inf. Syst. Secur, vol.11, issue.4, pp.1-41, 2008.

]. H. Hamed2006 and &. E. Hamed, Taxonomy of conflicts in network security policies, IEEE Communications Magazine, vol.44, issue.3, pp.134-141, 2006.
DOI : 10.1109/MCOM.2006.1607877

W. Han and &. Lei, A survey on policy languages in network and security management, Computer Networks, vol.56, issue.1, pp.477-489, 2012.
DOI : 10.1016/j.comnet.2011.09.014

A. Johnson, K. Dempsey, R. Ross, S. Gupta, and &. Bailey, Guide for Security-Focused Configuration Management of Information Systems. NIST Special Publication SP800-128, 2011.

]. K. Kark2006, L. M. Kark, &. S. Orlov, and . Bright, How To Manage Your Information Security Policy Framework, Forrester Research, 2006.

[. Karvounarakis, &. Todd, and J. Green, Semiring-annotated data, ACM SIGMOD Record, vol.41, issue.3, pp.5-14, 2012.
DOI : 10.1145/2380776.2380778

L. Lora, &. Kassab, J. Steven, and . Greenwald, Towards formalizing the Java security architecture of JDK 1.2 " . In: Computer Security ? ESORICS 98, Lecture Notes in Computer Science, vol.1485, pp.191-207, 1998.

Z. Kerravala, As the Value of Enterprise Networks Escalates, So Does the Need for Configuration Management

[. Kolovski, J. Hendler, and &. Parsia, Analyzing web access control policies, Proceedings of the 16th international conference on World Wide Web , WWW '07, pp.677-686, 2007.
DOI : 10.1145/1242572.1242664

M. Lenzerini, Data integration, Proceedings of the twenty-first ACM SIGMOD-SIGACT-SIGART symposium on Principles of database systems , PODS '02, pp.233-246, 2002.
DOI : 10.1145/543613.543644

J. Ligatti, L. Bauer, and &. Walker, Run-Time Enforcement of Nonsafety Policies, ACM Transactions on Information and System Security, vol.12, issue.3, pp.1-1941, 2009.
DOI : 10.1145/1455526.1455532

. Alexx and . Liu, Change-Impact Analysis of Firewall Policies In: Computer Security ? ESORICS, Lecture Notes in Computer Science, vol.4734, issue.142, pp.155-170, 2007.

[. Lodderstedt, D. Basin, and &. English, SecureUML: A UML-Based Modeling Language for Model-Driven Security, Lecture Notes in Computer Science, vol.2460, pp.426-441, 2002.
DOI : 10.1007/3-540-45800-X_33

C. Emil, M. Lupu, and . Sloman, Conflicts in Policy-Based Distributed Systems Management, IEEE Trans. Softw. Eng, vol.25, issue.103, pp.852-869, 1999.

[. Macdonald and &. Peter-firstbrook, How to Devise a Server Protection Strategy, 2011.

[. Martínez, J. Garcia-alfaro, F. Cuppens, N. Cuppens-boulahia, and &. Cabot, Model-Driven Extraction and Analysis of Network Security Policies, Lecture Notes in Computer Science, vol.8107, pp.52-68, 2013.
DOI : 10.1007/978-3-642-41533-3_4

]. A. Mayer2000, A. Mayer, &. E. Wool, and . Ziskind, Fang: a firewall analysis engine, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000, pp.177-187, 2000.
DOI : 10.1109/SECPRI.2000.848455

. Mcafee, . Mcafee-policy, and . Auditor, URL: http://www.mcafee. com / us / products / policy -auditor . aspx (visited on 02, 2014.

[. Mellado, C. Blanco, L. E. Sánchez, and &. Eduardo-fernández-medina, A systematic review of security requirements engineering, Computer Standards & Interfaces, vol.32, issue.4, pp.153-165, 2010.
DOI : 10.1016/j.csi.2010.01.006

]. R. Moen2010, &. C. Moen, and . Norman, Circling Back: Clearing up myths about the Deming cycle and seeing how it keeps evolving, pp.22-28, 2010.

J. D. Moffett, &. Morris, and S. Sloman, Policy conflict analysis in distributed system management, Journal of Organizational Computing, vol.3, issue.1, pp.1-22, 1994.
DOI : 10.1080/10919399409540214

I. Molloy, N. Li, T. Li, Z. Mao, Q. Wang et al., Evaluating role mining algorithms, Proceedings of the 14th ACM symposium on Access control models and technologies, SACMAT '09, pp.95-104, 2009.
DOI : 10.1145/1542207.1542224

[. Montanari, E. Chan, K. Larson, W. Yoo, &. Royh et al., Distributed Security Policy Conformance In: Future Challenges in Security and Privacy for Academia and Industry, IFIP Advances in Information and Communication Technology, pp.210-222, 2011.

R. Monzillo, Java Authorization Contract for Containers, Version 1.5. Specification JSR-115, p.95, 2013.

[. Centonze, Static analysis of rolebased access control in J2EE applications

]. T. Nelson2010, C. Nelson, D. J. Barrat, K. Dougherty, &. Fisler et al., The Margrave Tool for Firewall Analysys, Proceedings of the 24th international conference on Large installation system administration , LISA '10, pp.1-8, 2010.

[. Ni, E. Bertino, and &. Lobo, D-algebra for composing access control policy decisions, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS '09, pp.298-309, 2009.
DOI : 10.1145/1533057.1533097

[. Nist, Security Content Automation Protocols, 2009.

. Nvd and . Nist, National Vulnerability Databases URL: http://nvd. nist.gov (visited on 02, 2014.

. [. Simon-godik, eXtensible Access Control Markup Language (XACML) Version1.0. Specification. OASIS, Feb, p.14, 2003.

. Openscap and . Openscap, URL: http://www.open-scap.org (visited on 04, 2014.

[. Oppenheimer, The importance of understanding distributed system configuration In: System Administrators are Users, Too: Designing Workspaces for Managing Internet-Scale Systems CHI 2003 (Conference on Human Factors in Computing Systems, 2003.

[. Oppenheimer, A. Ganapathi, &. David, and A. Patterson, Why Do Internet Services Fail, and What Can Be Done About It, Proceedings of the 4th Conference on USENIX Symposium on Internet Technologies and Systems -Volume 4. USITS'03, p.8, 2003.

[. Ou, S. Govindavajhala, &. Andrew, and W. Appel, MulVAL: a logic-based network security analyzer, USENIX Security Symposium, 2005.

]. Ovaldi, . Mitre, and . Ovaldi, the OVAL interpreter reference implementation URL: http://oval.mitre.org/language/interpreter. html (visited on 02, 2014.

[. Owasp, Top 10 Most Critical Web Application Security Risks URL: https : / / www . owasp . org / index.php/Category:OWASP_Top_Ten_Project#tab= OWASP_Top_10_for_2010, pp.10-79, 2010.

[. Owasp, Top 10 Most Critical Web Application Security Risks URL: https : / / www . owasp . org / index.php/Category:OWASP_Top_Ten_Project#tab= OWASP_Top_10_for_2013, pp.10-79, 2013.

]. M. Parmelee2011, H. Parmelee, D. Booth, &. K. Waltermire, and . Scarfone, Common Platform Enumeration: Name Matching Specification Version 2.3, Specification. NIST, 2011.

A. Polyakov, A crushing blow at the heart of SAP J2EE Engine White Paper URL: http : / / erpscan . com / wp -content / uploadsA-crushing -blow -at -the -heart -SAP -J2EE engine_whitepaper .pdf, ERPScan, vol.0823, issue.82, pp.27-29, 2011.

S. Preda, N. Cuppens-boulahia, F. Cuppens, J. Garcia-alfaro, and &. Laurent-toutain, Model-Driven Security Policy Deployment: Property Oriented Approach, Lecture Notes in Computer Science, vol.5965, issue.134, pp.123-139, 2010.
DOI : 10.1007/978-3-642-11747-3_10

URL : https://hal.archives-ouvertes.fr/hal-00540842

S. Preda, F. Cuppens, N. Cuppens-boulahia, J. Garcia-alfaro, and &. Laurent-toutain, Dynamic deployment of context-aware access control policies for constrained security devices, Journal of Systems and Software, vol.84, issue.7, pp.1144-1159, 2011.
DOI : 10.1016/j.jss.2011.02.005

URL : https://hal.archives-ouvertes.fr/hal-00609526

Z. Peter and . Revesz, Constraint Databases: A Survey, Selected Papers from Semantics in Databases Workshop, pp.209-246, 1995.

[. Samak, A. El-atawy, and &. , Towards network security policy generation for configuration analysis and testing, Proceedings of the 2nd ACM workshop on Assurable and usable security configuration, SafeConfig '09, pp.45-52, 2009.
DOI : 10.1145/1655062.1655072

[. Sans, Seven Security (Mis)Configurations in Java web.xml Files URL: http : / / software -security . sans . org / blog, p.41, 2010.

[. Sans, Critical Controls for Effective Cyber Defense, 2013.

[. Satoh and &. Tokuda, Security Policy Composition for Composite Services, 2008 Eighth International Conference on Web Engineering, pp.86-97, 2008.
DOI : 10.1109/ICWE.2008.23

[. Savnik, &. Peter, and A. Flach, Discovery of multivalued dependencies from relations, In: Intell. Data Anal, vol.43, issue.4, pp.195-211, 2000.

F. B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security, vol.3, issue.1, pp.30-50, 2000.
DOI : 10.1145/353323.353382

]. M. Sloman2002, &. E. Sloman, and . Lupu, Security and management policy specification, IEEE Network, vol.16, issue.2, pp.10-19, 2002.
DOI : 10.1109/65.993218

[. Sun, G. Huang, and H. Mei, Validating Access Control Configurations in J2EE Applications, Proceedings of the 11th International Symposium on Component-Based Software Engineering. CBSE'08, pp.64-79, 2008.
DOI : 10.1007/978-3-540-87891-9_5

S. Andrew, &. Tanenbaum, and . Maarten-van-steen, Distributed systems, 2002.

K. Roshan, R. Thomas, and . Sandhu, Models, Protocols, and Architectures for Secure Pervasive Computing: Challenges and Research Directions, Pervasive Computing and Communications Workshops, IEEE International Conference on, p.164, 2004.

A. Tongaonkar, N. Inamdar, and &. R. Sekar, Inferring Higher Level Policies from Firewall Rules, Proceedings of the 21st international conference on Large installation system administration , LISA '07, pp.17-26, 2007.

V. Mahesh, &. Tripunitara, and . Li, A theory for comparing the expressive power of access control models, In: J. Comput. Secur, vol.15, issue.134, pp.231-272, 2007.

J. Tudor, Web Application Vulnerability Statistics 2013, 2013.

J. D. Ullman, Information integration using logical views, 1997.

]. A. Uszok2003, J. Uszok, R. Bradshaw, N. Jeffers, P. Suri et al., KAoS policy and domain services: toward a description-logic approach to policy representation, deconfliction, and enforcement, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks, pp.93-96, 2003.
DOI : 10.1109/POLICY.2003.1206963

[. Vaidya, V. Atluri, and &. Guo, The role mining problem, Proceedings of the 12th ACM symposium on Access control models and technologies , SACMAT '07, pp.175-184, 2007.
DOI : 10.1145/1266840.1266870

]. S. Vimercati2007, S. Capitani-di-vimercati, S. Foresti, &. Jajodia, and . English, Access Control Policies and Languages in Open Environments In: Secure Data Management in Decentralized Systems Advances in Information Security, pp.21-58, 2007.

]. D. Waltermire2011, S. Waltermire, &. K. Quinn, and . Scarfone, The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.1, 2011.
DOI : 10.6028/NIST.SP.800-126r1

]. A. Westerinen2001, J. Westerinen, J. Schnizlein, M. Strassner, B. Scherling et al., Terminology for Policy-Based Management, Request for Comments RFC3198. Internet Engineering Task Force, pp.6-6, 2001.
DOI : 10.17487/rfc3198

J. Wijsen, Database repairing using updates, ACM Transactions on Database Systems, vol.30, issue.3, pp.722-768, 2005.
DOI : 10.1145/1093382.1093385

A. Wool, Trends in Firewall Configuration Errors: Measuring the Holes in Swiss Cheese, IEEE Internet Computing, vol.14, issue.4, pp.58-65, 2010.
DOI : 10.1109/MIC.2010.29

C. Wullems, M. Looi, and &. A. Clark, Towards context-aware security: an authorization architecture for intranet environments, IEEE Annual Conference on Pervasive Computing and Communications Workshops, 2004. Proceedings of the Second, pp.132-137, 2004.
DOI : 10.1109/PERCOMW.2004.1276919

[. Yin, X. Ma, J. Zheng, Y. Zhou, N. Lakshmi et al., An empirical study on configuration errors in commercial and open source systems, Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP '11, pp.159-172, 2011.
DOI : 10.1145/2043556.2043572

E. Yuan and &. Tong, Attributed based access control (ABAC) for Web services, IEEE International Conference on Web Services (ICWS'05), pp.561-569, 2005.
DOI : 10.1109/ICWS.2005.25

[. Zhao, J. Lobo, A. Roy, &. Steven, and M. Bellovin, Policy refinement of network services for MANETs, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops, p.14, 2011.
DOI : 10.1109/INM.2011.5990681

]. N. Ziring2008, &. S. Ziring, and . Quinn, Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4. Specification . NIST, p.45, 2008.