Computer Science ›› 2016, Vol. 43 ›› Issue (2): 163-168.doi: 10.11896/j.issn.1002-137X.2016.02.036

Previous Articles     Next Articles

XACML Policy Optimization Method Based on Redundancy Elimination and Attribute Numericalization

QI Yong, CHEN Jun and LI Qian-mu   

  • Online:2018-12-01 Published:2018-12-01

Abstract: XACML (eXtensible Access Control Markup Language) has become one of main access control standards.Access control systems need effective XACML evaluation engine to ensure system availability.To solve the problem above,this paper optimized XACML policy from two aspects:redundancy elimination and attribute numericalization,based on the potential shortcomings of XACML itself.Redundancy elimination removes the redundant rules in the policies and the redundant states between the rules by applying rule compression method.Attribute numericalization transforms textuary attributes of XACML policies into numerical attributes,to make evaluation engine use effective numerical match,instead of inefficient string match.In addition,it is beneficial for policy management that using Hash table to store the mappings between textuary attributes and numerical attributes.Simulation experimental results show that the policy engine using the policy optimization method proposed in this paper is much faster than Sun XACML.

Key words: XACML,Policy optimization,Redundancy elimination,Attribute numericalization

[1] Standard OASIS.eXtensible Access Control Markup Language (XACML) Version 3.0.[S/OL].2013.http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
[2] Ramli C D P K,Nielson H R,Nielson F.The logic of XACML[J].Science of Computer Programming,2014,83:80-105
[3] Bertolino A,Daoudagh S,Lonetti F,et al.Xacmut:Xacml 2.0mutants generator[C]∥ 2013 IEEE Sixth International Confe-rence on Software Testing,Verification and Validation Workshops (ICSTW),2013.IEEE,2013:28-33
[4] El Kateb D,Elrakaiby Y,Mouelhi T,et al.Towards a Full Support of Obligations In XACML[C]∥9th International Confe-rence on Risks and Security of Internet and Systems.2014
[5] Lunardelli A,Matteucci I,Mori P,et al.A prototype for solving conflicts in XACML-based e-Health policies[C]∥2013 IEEE 26th International Symposium on Computer-Based Medical Systems (CBMS),2013.IEEE,2013:449-452
[6] Le T T K,Van H D S,Dang A T,et al.Towards a Flexible Framework to Support a Generalized Extension of XACML for Spatio-temporal RBAC Model with Reasoning Ability[J].International Journal of Web Information Systems,2014,0(2):437-451
[7] Ryba G,Jung M,Kastner W.Authorization as a service in smart grids:Evaluating the PaaS paradigm for XACML policy decision points[C]∥2013 IEEE 18th Conference on Emerging Technologies & Factory Automation (ETFA),2013.IEEE,2013:1-4
[8] De la Rosa Algarín A,Ziminski T B,Demurjian S A,et al.Gene-rating XACML Enforcement Policies for Role-Based Access Control of XML Documents[C]∥Web Information Systems and Technologies,2014.Springer Berlin Heidelberg,2014:21-36
[9] Sun XACML.2006.http://sunxacml.sourceforge.net
[10] Enterprise XACML.2008.http://code.google.com/p/enterprise-java-xacml
[11] Liu A X,Chen Fei,Hwang J H,et al.Designing fast and scalable XACML policy evaluation engines[J].IEEE Trans on Compu-ters,2011,60(12):1802-1817
[12] Niu De-hua,Ma Jian-feng,Ma Zhuo,et al.HPEngine:high performance XACML policy evaluation engine based on statistical analysis[J].Journal on Communications,2014,35(8):206-215(in Chinese) 牛德华,马建峰,马卓,等.基于统计分析优化的高性能XACML策略评估引擎[J].通信学报,2014,35(8):206-215
[13] Wang Ya-zhe,Feng Deng-guo,Zhang Li-wu,et al.XACML Policy Evaluation Engine Based on Multi-Level Optimization Technology[J].Journal of Software,2011,22(2):323-338(in Chinese) 王雅哲,冯登国,张立武,等.基于多层次优化技术的 XACML 策略评估引擎[J].Journal of Software,2011,22(2):323-338
[14] Wang Ya-zhe,Feng Deng-guo.A Conflict and Redundancy Ana-lysis Method for XACML Rules[J].Chinese Journal of Compu-ters,2009(3):516-530(in Chinese) 王雅哲,冯登国.一种 XACML 规则冲突及冗余分析方法[J].计算机学报,2009(3):516-530
[15] Stepien B,Matwin S,Felty A.An Algorithm for Compression of XACML Access Control Policy Sets by Recursive Subsumption[C]∥2012 Seventh International Conference on Availability,Reliability and Security (ARES),2012.IEEE,2012:161-167

No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!