基于统计分析优化的高性能XACML策略评估引擎

doi:10.3969/j.issn.1000-436x.2014.08.025

摘要/Abstract

摘要：

为提高分布式环境下XACML策略评估引擎的效率，提出了新的XACML策略评估引擎HPEngine。该引擎利用基于统计分析的策略优化机制动态精化策略，并将精化的策略由于统计分析的多级缓存机制存储频繁调用的请求结果对、属性和策略信息。仿真结果表明，HPEngine所采用的基文本形式转化为数值形式；同时采用基于统计分析的多级优化机制缩减了策略规模，了匹配速度，整体评估性能优于其他同类系统。降低了引擎和其他功能部件的通信损耗，减少了匹配运算量，提高了匹配速度，整体评估性能优于其他同类系统。

关键词: 可扩展的访问控制标记语言, 策略评估引擎, 统计分析, 策略优化

Abstract:

To improve the efficiency of the XACML(eXtensible access control markup language) policy evaluation en-gine under distributed environment, a novel XACML policy evaluation engine, HPEngine was proposed. The HPEngine dynamically refined policies based on statistical analysis of the policy optimization mechanism first and transformed text form of policy into numerical afterward. Moreover, the engine adopted the multi-level caching mechanism based on the statistical analysis to store frequently called request-results, attributes and policy information. Emulation results show that multi-level optimization mechanisms based on the statistical analysis applied in HPEngine significantly reduce the size of policies, decrease the communication cost between the engine and other components, lessen the amount of matching op-eration and improve the speed of matching. Comparative analysis demonstrates that HPEngine is obviously better in per-formance than other similar systems.

Key words: XACML, policy evaluation engine, statistical analysis, policy optimization

牛德华,马建峰,马卓,李辰楠,王蕾. 基于统计分析优化的高性能XACML策略评估引擎[J]. 通信学报, 2014, 35(8): 206-215.

De-hua NIU,Jian-feng MA,Zhuo MA,Chen-nan LI,Lei WANG. HPEngine: high performance XACML policy evaluation engine based on statistical analysis[J]. Journal on Communications, 2014, 35(8): 206-215.

图/表 16

图1

图2

表1

表2

表3

规则冗余分析过程及结果"

	策略内规则冗余分析		策略间规则冗余分析
P₁	(R₁,R₂)不存在状态覆盖关系	(P₁,P₂)	(R₁,R₄)不存在状态覆盖关系
	(R₁,R₃) $S t a t e_{R_{1}} ≺ S t a t e_{R_{3}},$ 但R₁不是冗余		(R₃,R₄)不存在状态覆盖关系
	(R₂,R₃) $S t a t e_{R_{1}} ≺ S t a t e_{R_{3}},$ R₂冗余
P₂	(R₄,R₅) $S t a t e_{R_{5}} ≺ S t a t e_{R_{4}},$ R₅冗余	(P₁,P₃)	(R₁,R₆)不存在状态覆盖关系(R₃,R₆)不存在状态覆盖关系
P₃	(R₆,R₇) $S t a t e_{R_{7}} ≺ S t a t e_{R_{6}},$ R₇冗余	(P₂,P₃)	(R₄,R₆) $S t a t e_{R_{6}} ≺ S t a t e_{R_{4}},$ R₇冗余

表3

图3

表4

图4

图5

图6

图7

图8

表5

图9

图10

图11

参考文献 16

[1]	Brief Introduction to XACML[EB/OL]. .
[2]	Sun XACML[EB/OL]. .
[3]	XACMLight[EB/OL]. .
[4]	AXESCON XACML[EB/OL]. .
[5]	Enterprise XACML[EB/OL]. .
[6]	BUTLER B , JENNINGS B , FAME D B . XACML policy perfor mance evaluation using a flexible load testing framework[A]. Proceedings of the 17th ACM conference on Computer and communications security (CCS)[C]. New York, USA, 2010, 978-980.
[7]	LIU A X , CHEN F , HWANG J H . esigning fast and scalable XACML policy evaluation engines[J]. IEEE Transactions on Com-puters, 2011, 60(12): 1802-1817.
[8]	LIU A X , CHEN F , HWANG J H . XEngine: a fast and scalable XACML policy evaluation engine[A]. Proceedings of the 2008 ACM-SIGMETRICS International Conference on Measurement and Model-ing of Computer Systems[C]. New York, USA, 2008, 265-276.
[9]	MAROUF S , SHEHAB M , SQUICCIARINI A . Adaptive reordering and clustering-based framework for efficient XACML policy evalua-tion[J]. IEEE Transactions on Services Computing, 2011, 10(4): 300-313.
[10]	王雅皙，冯登国，张立武 . 基于多层次优化技术的XACML策略评估引擎[J]. 软件学报， 2011,22(2):323-338. WANG Y Z , FENG D G , ZHANG L W . XACML policy evaluation engine based on multi-level optimization technology[J]. JJournal of Software, 2011,22(2):323-338.
[11]	王雅皙，冯登国 . 一种XACML规则冲突及冗余分析方法[J]. 计算机学报， 2009,32(3):516-530. WANG Y Z , FENG D G . A conflict and redundancy analysis method for XACML rules[J]. Chinese Journal of Computers, 2009,32(3):516-530.
[12]	STEPIEN B , MATWIN S , FELTY A . An algorithm for compression of XACML access control policy sets by recursive subsumption[A]. 2012 Seventh International Conference on Availability, Reliability and Se-curity[C]. Ottawa, Canada, 2012, 161-167.
[13]	PHILIP L , MISELDINE S A , KARLSRUHE . Automated xacml policy reconfiguration for evaluation optimization[A]. Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems[C] New York, USA, 2008. 1-8.
[14]	TURKMEN F , CRISPO B . Performance evaluation of XACML PDP implementations[A]. Proceedings of the 2008 ACM Workshop on Se-cure web services[C] New York, USA, 2008. 37-44.
[15]	XACML 2.0 conformance tests[EB/OL]. .
[16]	FISLER K , KRISHNAMURTHI S , MEYEROVICH L . Verification and change impact analysis of access-control policies[A]. Proceedings of the 27th International Conference on Software Engineering[C] New York, USA, 2005. 196-205.

策略id	允许率/%	拒绝率/%	调用频率/(次·周)^?1
1	66	34	47 806
2	89	11	6 312
3	0	0	0

规则id	策略	允许率/%	拒绝率/%	调用频率/(次·周)^?1
1	1	0.4	1.6	826
2	1	0	0	0
3	1	78	20	46 980
4	2	55	45	6 312
5	2	0	0	0
6	3	0	0	0
7	3	0	0	0

Subject	Resource	Action
admin:0	grades/:0	read:0
president:1	grades/excel:1	write:1
teacher:2	wages/:2	—
student:3	wages/excel:3	—

评估引擎	策略加载模式	策略存储模式	策略匹配模式	特殊优化机制
Sun XACML	静态	策略列表	两次匹配	无
Enterprise XACML	静态	一级散列表	一次查找	索引结构
XEngine	静态	树结构	一次匹配	数值化、标准化
MLOBEE	静态	两级散列表	3次查找	规则精简、多级缓存，两级索引
HPEngine	静态	两级散列表	一次匹配	统计分析、规则重排序、数值化、多级缓存、两级索引