基于统计分析优化的高性能XACML策略评估引擎

doi:10.3969/j.issn.1000-436x.2014.08.025

Abstract

Abstract:

To improve the efficiency of the XACML(eXtensible access control markup language) policy evaluation en-gine under distributed environment, a novel XACML policy evaluation engine, HPEngine was proposed. The HPEngine dynamically refined policies based on statistical analysis of the policy optimization mechanism first and transformed text form of policy into numerical afterward. Moreover, the engine adopted the multi-level caching mechanism based on the statistical analysis to store frequently called request-results, attributes and policy information. Emulation results show that multi-level optimization mechanisms based on the statistical analysis applied in HPEngine significantly reduce the size of policies, decrease the communication cost between the engine and other components, lessen the amount of matching op-eration and improve the speed of matching. Comparative analysis demonstrates that HPEngine is obviously better in per-formance than other similar systems.

Key words: XACML, policy evaluation engine, statistical analysis, policy optimization

De-hua NIU,Jian-feng MA,Zhuo MA,Chen-nan LI,Lei WANG. HPEngine: high performance XACML policy evaluation engine based on statistical analysis[J]. Journal on Communications, 2014, 35(8): 206-215.

Figures/Tables 16

	策略内规则冗余分析		策略间规则冗余分析
P₁	(R₁,R₂)不存在状态覆盖关系	(P₁,P₂)	(R₁,R₄)不存在状态覆盖关系
	(R₁,R₃) $S t a t e_{R_{1}} ≺ S t a t e_{R_{3}},$ 但R₁不是冗余		(R₃,R₄)不存在状态覆盖关系
	(R₂,R₃) $S t a t e_{R_{1}} ≺ S t a t e_{R_{3}},$ R₂冗余
P₂	(R₄,R₅) $S t a t e_{R_{5}} ≺ S t a t e_{R_{4}},$ R₅冗余	(P₁,P₃)	(R₁,R₆)不存在状态覆盖关系(R₃,R₆)不存在状态覆盖关系
P₃	(R₆,R₇) $S t a t e_{R_{7}} ≺ S t a t e_{R_{6}},$ R₇冗余	(P₂,P₃)	(R₄,R₆) $S t a t e_{R_{6}} ≺ S t a t e_{R_{4}},$ R₇冗余

References 16

[1]	Brief Introduction to XACML[EB/OL]. .
[2]	Sun XACML[EB/OL]. .
[3]	XACMLight[EB/OL]. .
[4]	AXESCON XACML[EB/OL]. .
[5]	Enterprise XACML[EB/OL]. .
[6]	BUTLER B , JENNINGS B , FAME D B . XACML policy perfor mance evaluation using a flexible load testing framework[A]. Proceedings of the 17th ACM conference on Computer and communications security (CCS)[C]. New York, USA, 2010, 978-980.
[7]	LIU A X , CHEN F , HWANG J H . esigning fast and scalable XACML policy evaluation engines[J]. IEEE Transactions on Com-puters, 2011, 60(12): 1802-1817.
[8]	LIU A X , CHEN F , HWANG J H . XEngine: a fast and scalable XACML policy evaluation engine[A]. Proceedings of the 2008 ACM-SIGMETRICS International Conference on Measurement and Model-ing of Computer Systems[C]. New York, USA, 2008, 265-276.
[9]	MAROUF S , SHEHAB M , SQUICCIARINI A . Adaptive reordering and clustering-based framework for efficient XACML policy evalua-tion[J]. IEEE Transactions on Services Computing, 2011, 10(4): 300-313.
[10]	王雅皙，冯登国，张立武 . 基于多层次优化技术的XACML策略评估引擎[J]. 软件学报， 2011,22(2):323-338. WANG Y Z , FENG D G , ZHANG L W . XACML policy evaluation engine based on multi-level optimization technology[J]. JJournal of Software, 2011,22(2):323-338.
[11]	王雅皙，冯登国 . 一种XACML规则冲突及冗余分析方法[J]. 计算机学报， 2009,32(3):516-530. WANG Y Z , FENG D G . A conflict and redundancy analysis method for XACML rules[J]. Chinese Journal of Computers, 2009,32(3):516-530.
[12]	STEPIEN B , MATWIN S , FELTY A . An algorithm for compression of XACML access control policy sets by recursive subsumption[A]. 2012 Seventh International Conference on Availability, Reliability and Se-curity[C]. Ottawa, Canada, 2012, 161-167.
[13]	PHILIP L , MISELDINE S A , KARLSRUHE . Automated xacml policy reconfiguration for evaluation optimization[A]. Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems[C] New York, USA, 2008. 1-8.
[14]	TURKMEN F , CRISPO B . Performance evaluation of XACML PDP implementations[A]. Proceedings of the 2008 ACM Workshop on Se-cure web services[C] New York, USA, 2008. 37-44.
[15]	XACML 2.0 conformance tests[EB/OL]. .
[16]	FISLER K , KRISHNAMURTHI S , MEYEROVICH L . Verification and change impact analysis of access-control policies[A]. Proceedings of the 27th International Conference on Software Engineering[C] New York, USA, 2005. 196-205.

Metrics

Recommended 0

No Suggested Reading articles found!

策略id	允许率/%	拒绝率/%	调用频率/(次·周)^?1
1	66	34	47 806
2	89	11	6 312
3	0	0	0

规则id	策略	允许率/%	拒绝率/%	调用频率/(次·周)^?1
1	1	0.4	1.6	826
2	1	0	0	0
3	1	78	20	46 980
4	2	55	45	6 312
5	2	0	0	0
6	3	0	0	0
7	3	0	0	0

Subject	Resource	Action
admin:0	grades/:0	read:0
president:1	grades/excel:1	write:1
teacher:2	wages/:2	—
student:3	wages/excel:3	—

评估引擎	策略加载模式	策略存储模式	策略匹配模式	特殊优化机制
Sun XACML	静态	策略列表	两次匹配	无
Enterprise XACML	静态	一级散列表	一次查找	索引结构
XEngine	静态	树结构	一次匹配	数值化、标准化
MLOBEE	静态	两级散列表	3次查找	规则精简、多级缓存，两级索引
HPEngine	静态	两级散列表	一次匹配	统计分析、规则重排序、数值化、多级缓存、两级索引

HPEngine: high performance XACML policy evaluation engine based on statistical analysis

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 16

Related Articles 7

Metrics

Recommended 0

[1]	Siya XU, Yifei XING, Shaoyong GUO, Chao YANG, Xuesong QIU, Luoming MENG. Deep reinforcement learning based task allocation mechanism for intelligent inspection in energy Internet [J]. Journal on Communications, 2021, 42(5): 191-204.
[2]	. HPEngine: high performance XACML policy evaluation engine based on statistical analysis HPEngine: high performance XACML policy evaluation engine based on statistical analysis [J]. Journal on Communications, 2014, 35(8): 25-215.
[3]	. Enhanced cloud storage access control scheme based on attribute [J]. Journal on Communications, 2013, 34(Z1): 37-284.
[4]	De-hua NIU,Jian-feng MA,Zhuo MA,Chen-nan LI,Lei WANG. Enhanced cloud storage access control scheme based on attribute [J]. Journal on Communications, 2013, 34(Z1): 276-284.
[5]	Kai-yong XU,Guo-ming CAI,Ming YANG,Zhi-guo LV. Research on access control based on XACML in service oriented architecture [J]. Journal on Communications, 2011, 32(11A): 132-136.
[6]	He HUANG,Su-zhen YAO. Access control model based on dynamic rules [J]. Journal on Communications, 2007, 28(11A): 14-17.
[7]	Xiao-feng LI,Deng-guo FENG,Zheng XU. Access control policy management based on extended-XACML [J]. Journal on Communications, 2007, 28(1): 103-110.