| How to ensure the safety of information and access to critical resources has become an important research topic, where access control is one of the important means to ensure the security of the system. XACML (eXtensible Access Control Markup Language) has become one of main access control standards, which calls for a policy evaluation engine of high performance. However, the evaluating performance can easily become a bottleneck restricting the system availability when the number of policies and rules is huge. Therefore, there urgent need to enhance the policy evaluation engine performance to ensure system availability.To solve the problem above, this paper optimize XACML policy from four aspects:rule compression, redundancy elimination, attribute numericalization and dynamic reordering, based on the potential shortcomings of XACML itself. Rule compression compresses the simple rules into complex rules, to reduce the matching number from multiplicative down to additive. Redundancy elimination removes the redundant rules and redundant states in the policies, lessening policies scale. Attribute numericalization transforms textuary attributes of XACML policies into numerical attributes, to make evaluation engine using effective numerical match, instead of inefficient string match. In addition, it is beneficial for policy management that using Hash Table to store the mappings between textuary attributes and numerical attributes. Dynamic reordering reorders the sequence of policies and orders in policy sets and policies, in order to put the policies and rules of high priority in the head of execution queue, by using statistical data of policy evaluation effectively and considering the complexity of policies and rules. Apart from dynamic reordering, the evaluation methods proposed in this paper belong to policy pretreatment process before judgment, independent of the specific matching process of policy evaluation. Therefore, they can be merged into a variety of other evaluation engines as a common optimization technique because of their low invasion.In order to verify the effectiveness of the researched and proposed optimization methods, this paper lists the running time and efficiency ratio of each optimization method in the simulation experiments and analysis of results. Experimental results show that each optimization method has varying degrees of performance upgrade compared to Sun XACML. Finally, this paper merges all the optimization methods, and compares it with XEngine comprehensively. Experimental results show that it can further improve the performance of policy evaluation engine by merging all the optimization methods. The merged policy optimization method much faster than Sun XACML PDP and better than commercial application evaluation engine:XEngine. |
PDF Full Text Request